Search Information Security site

 

Electronically Stored Information Release - Guidance for Authorizing Officials

General

The authorization for University personnel or entities external to the University to monitor or review the electronically stored information (ESI), including the email communications or data files of students and employees, is not granted casually. Such authorization will require formal approval and justification based on permissions granted by the account holder, business needs, or by reasonably substantiated allegations of violation of law or policy on the part of the student(s), faculty, or staff member(s) whose information is to be reviewed.  This document provides guidance to the UVa Privacy and Confidentiality of University Information (IRM-012) policy, the Electronically Stored Information Release Standard and the associated Electronically Stored Information Release Procedures.

Investigations of Violations of Law or Policy

Requests for authorization to monitor or review electronic communications usually originate with supervisors, University human resources staff, or Dean of Student representatives. They may also originate with an investigatory authority such as the director of the office for Equal Opportunity and Civil Rights (looking into a sexual harassment claim, for example) or the University's Research Integrity Officer (RIO).  The authorizing official, who may be a vice president or designee who is asked to consider approving the monitoring or reviewing of the electronic communications or files of an employee must use their judgment in determining whether there is sufficient reason to grant such approval. In these situations, the authorizing official must maintain confidentiality and is strongly urged to consult with the Office of University Counsel in determining whether to approve the monitoring or review and in determining if the affected employee or anyone else should be notified that the monitoring or review is taking place.

Business Continuity-Related Requests for ESI

Examples of business continuity requests to access employee or student electronic communications include but are not limited to:

• access to a former employee's email account for the purpose of determining whether any unanswered and time-sensitive email communications directed to the former employee require a response

• negotiations of sufficient importance to justify review of the employee's electronic communications and files when that employee is unavailable to give consent for that review

• an urgent and sufficiently serious issue with health, safety, or legal implications

In many cases, rather than the authorizing official granting unfettered access to the account(s) in question, it is preferred that the requestor exercise due diligence in directly enlisting the help of the account owner(s) to extract the necessary business materials or to consider other steps to maintain the privacy of unrelated and/or personal materials contained within the account.  Other possibilities for review may include obtaining assistance from an independent reviewer who does not have supervisory, teaching, or management responsibilities over the person whose materials are being reviewed.

To initiate a business continuity request, consult the associated Electronically Stored Information Release Procedures.

The Commonwealth of Virginia's Uniform Fiduciary Access to Digital Assets Act (UFADA)) requires that the University not grant access to data from a deceased user’s electronically stored information (e.g., email) in the custody of the University without the prior written consent of the deceased individual concerned or unless allowed or required by law or legal requests.  Such requests should be directed to the University Information Security office by emailing it-policy@virginia.edu.

Other ESI Request Guidance 

Medical Center (Agency 209) ESI Requests 

The Health and Information Technology department coordinates ESI requests for approval.

College at Wise (Agency 246) ESI Requests

The Office of Information Technology at UVA Wise {link to http://www.uvawise.edu/oit} coordinates Agency 246 ESI requests for approval.

Virginia Freedom of Information Act (FOIA) ESI Requests

Requests pursuant to the Virginia Freedom of Information Act (FOIA) should be directed to University Communications. More information on making FOIA requests can be found at www.virginia.edu/foia

Family Education Rights and Privacy Act (FERPA) ESI Requests

Requests for student information pursuant to the Family Education Rights and Privacy Act (FERPA) should be directed to the University Registrar (link to http://www.virginia.edu/registrar/accessacadrecord.html).

Note:  All officials releasing ESI must recognize the potentially sensitive nature of content that is found during the course of an investigation. Reports and findings must be kept confidential, consistent with the rules of the disciplinary bodies involved.

Circumstances Not Requiring Authorization

Most security tests of computing systems do not constitute monitoring or review of employee electronic communications or files. Consequently, authorization is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords that students or employees may select. Under no circumstances should employees reveal account passwords to anyone, including to system administrators, LSPs, or supervisors. This testing is aimed at revealing weak or "guessable" passwords, and the appropriate action in responding to identification of a weak password is for the employee or student to change it immediately.

Similarly, authorization is not required for appropriate University staff to review attempted access of its systems by persons (employees or others) not authorized to use them.  In addition, authorization is also not required for review by appropriate University staff of records of the numbers employees call using the University's long-distance telephone system. Such reviews are routinely conducted as part of an Audit department review.

All Other ESI Requests

If you have questions about what ESI is available and/or how to make a request not answered by the above information, please contact the University Information Security office at it-policy@virginia.edu.

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form