Policy on Information Technology Resources and Account Privacy
The University is committed to ensuring open discourse and the free expression of viewpoints and beliefs. The commitment includes ensuring that academic dialogue is free from unwarranted institutional intrusion and oversight. The purpose of this policy is to articulate the University’s responsibilities and obligations when preserving, accessing, or disclosing information from University information technology resources.
Applicability
This policy applies to all University faculty, other academic appointees, students, post-doctoral researchers, staff, associates, volunteers and contractors (“Covered Persons”) who use University information technology resources and to all uses of those resources, whether physically located on campus or remotely. Although local information technology services at the University may have supplemental policies regarding acceptable use and user privacy expectations, those policies cannot diminish University responsibilities or user privacy expectations as set forth below.
University Obligations to Protect, Search and Disclose Information belonging to Covered Persons
All Covered Persons are expected to respect the privacy interests of those who use University information technology resources. The University also has legal, operational and compliance-based duties, which under specific circumstances require it to preserve and secure custody of information from users’ accounts and associated storage media. In some cases, the University may be required to access user content, search it using specialized software configured with appropriately tailored criteria, review the information found by the search, and disclose relevant portions to others who are duly authorized to receive it. In connection with these responsibilities, the University may also be obligated to request that a user turn over or provide appropriate access to University-related information on the user’s own personal computer, laptop, cell phone, or other electronic device. The University will act as appropriate to fulfill its legal obligations to preserve, review and, as appropriate, disclose data generated and/or maintained by users of University information technology resources. Except to the extent necessary to comply with the University’s legal obligations, the University will maintain the confidentiality of all privileged communications and work product.
When any use of University information technology presents an imminent threat to other users or to the University’s technology infrastructure or poses a likely violation of the law or University policy, the University may take the steps necessary to manage the threat and/or preserve and access data. Those measures may include, but not be limited to changing passwords, removing access rights, disabling or impounding computers, or disconnecting specific devices or entire network segments from University voice and data networks. The University will restore connectivity and functionality as soon as practicable after the threat has been identified and resolved. The University may also implement additional measures to ensure the threat does not reoccur.
Notice
The University will attempt to provide notice in advance to the affected individual of access to or the preservation or sharing of data with third parties, unless such notification would put the University at risk or is prohibited by law. The University maintains the authority to limit access to its networks, systems and services or to remove material stored or posted on its networks, systems, and services when applicable policies, contractual obligations, or applicable laws have been violated or there is a reasonable belief that these have been violated.
Process
The University’s Office of Legal Counsel (OLC) has the responsibility and authority to review and approve all requests to preserve, access, and disclose a user’s electronic information. Although OLC works closely with information technology staff and decision makers across the campus, its ultimate legal and ethical duties are to the institution itself.
At all times, the OLC will use reasoned judgment to determine whether requests are consistent with this policy and the law.
The OLC will confer with the relevant University offices before approving, rejecting or modifying data access requests for the following roles:
- Academic appointees: Office of the Provost
- Students: The applicable Dean of Students and/or the Office of the Vice President of Campus and Student Life
- Staff employees and volunteers: Human Resources
- Other academic appointees and postdoctoral researchers: Respective dean’s office.
- Research: Institutional Review Boards
OLC will establish conditions or other parameters for the access to data under this policy, provide a decision-making framework to allow similar requests to follow consistent processes leading to similar outcomes, and maintain appropriate records of these processes. OLC will maintain a record of all such activity for at least one year and provide summary information to the Audit Committee of the University’s Board of Trustees and the University’s Board of Computing and Academic Services upon request.
Policy Ownership
Responsible University Officer(s): Chief Information Officer
Responsible Office: Office of the CIO
Effective date: 04-12-2024
Definitions
Confidential Information – Generally consists of non-public information about a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk of criminal or civil liability or damage to the person or entity’s financial standing, employability, privacy, or reputation. Reference University HR policy 601 Treatment of Confidential Information for more information.
Covered Persons – All University faculty, other academic appointees, students, staff, post-doctoral researchers, volunteers, and contractors.
Information Security Program (“The Program”) – The Information Security Program is a set of coordinated services and activities designed to protect University data and information technology and manage the risks to the University associated with those resources, including the regulations below, as well as the procedures, standards, assessments, protocols to govern information resources’ storage, accessibility, and security.
Information Technology Resources – Information technology resources are:
- Computers or electronic resources that are used in the search, access, acquisition, transmission, storage, retrieval, or dissemination of University data.
- Technologies or services that are owned, contracted by, or managed by the University that connect to the University network or link to another University technology or service or store University data or information.
- Services or applications used by the University in hosted environments where the University does not own or operate the technology infrastructure.
Service – IT infrastructure, platforms, or software hosted by third-party providers and made available to users through a network.
Third-Party – An organization or partner that the University contracts with to perform certain services on behalf of the University.
Covered Data – Data created, stored, or maintained, by or on behalf of the University.
Roles and Responsibilities
Office of Legal Counsel – The OLC provides guidance and facilitates the process that policy refers to.
Chief Information Officer (CIO) – The CIO is responsible for providing guidance to University leadership concerning the appropriate use of information technology resources.
Chief Information Security Officer (CISO) – The CISO shall be responsible for leading the development, execution, monitoring, and enforcement of the University Information Security Program.
Related Information
University HR policy 601 Treatment of Confidential Information for more information.
Acceptable Use of Information Technology Policy
Contacts
The following offices can address questions regarding this Policy:
Title/Office | Phone | |
Associate Vice President and Chief Information Officer | cio@uchicago.edu | 773.702.5800 |
IT Services Information Security Office | security@uchicago.edu | 773.702.2378 |
Executive Director and Chief Information Security Officer (CISO) | ciso@uchicago.edu | 773.702.2378 |
Chief Privacy Officer | privacy@uchicago.edu | |
Revision Authority | Associate Vice President and Chief Information Officer |
Frequently Asked Questions
If there’s a reason to access, preserve, or review my data, when do I find out such a request was made?
The University will attempt to provide advance notice to the affected individual if the disclosure of the data access request is not prohibited by law or not prohibited by an immediate threat.
My access to a University information technology resource was removed without warning or communication. Why?
In some cases, such as an imminent threat or substantial risk, the University must address the issue immediately to prevent harm to the University community or other affected individuals.
Wha is the difference between preserving electronic information and accessing that information?
In some cases, the University may be required only to preserve an individual’s electronic information while in others it may be necessary to access and review the information. For example:
- The University may initiate a litigation or legal hold requiring preservation of certain information. A litigation or legal hold is a process that the organization undertakes to preserve all data that might relate to current or potential legal action involving the University or individuals at the University. The University may be legally required to preserve relevant data when it learns of a triggering event, such as a pending or imminent legal action, or when litigation is reasonably anticipated, e.g., when an accident with serious injuries has occurred.
- Access requests typically arise when an academic or administrative unit has an operational need for access to information created or maintained by an individual who has departed the University. For example, if an individual’s information is necessary to meet obligations under a federal grant or contract or to ensure important University business is not interrupted.
What is the process for accessing a faculty member’s files when a request is received? Will my personal email or internet activity be subject to review if it is unrelated to the matter that prompted a preservation or access request?
When screening reveals information not pertinent to the matter at hand, it is excluded from the information provided to the requesting party.
What records regarding preservation and access requests will be maintained?
The Office of Legal Counsel maintains a log that records the following information:
- who made a preservation or access request;
- the date of the request;
- the substance of the request;
- who was consulted in connection with making the decision;
- the decision itself;
- whether the user was notified and when;
- who else at the University was informed of the request,
- the decision or the data/information gathering;
- and when the information was gathered and disclosed to the requesting party.
Who else is alerted to preservation or access requests?
The Office of Legal Counsel will confer with the relevant University offices before approving, rejecting, or modifying data access requests for the following roles:
- Academic appointees: Office of the Provost
- Students: The applicable Dean of Students and/or the Office of the Vice President of Campus and Student Life
- Staff employees and volunteers: Human Resources
- Other academic appointees and postdoctoral researchers: Respective dean’s office.
- Research: Respective Institutional Review Board
What are examples of when the University would need to access, preserve, and review information stored in or on an individual’s University information technology resources?
The following are examples of when the University may need to access, preserve, or review information in University information technology resources:
- If the University receives a subpoena for an individual’s records in connection with a lawsuit
- If a student makes a request for their education records stored on University computers
- If the University has a legal or regulatory obligation to preserve or disclose information stored on University computers
- If the University must respond to an imminent threat to other users or to the University’s technology infrastructure. For example, if the University is responding to an information security incident or physical security threat, it may be necessary to access information on information technology resources.
These FAQs are subject to change and will be updated as needed.
Last Updated: 3/8/24