Search Information Security site

 

Electronically Stored Information Release Procedures

Table of Contents

1.  Purpose and Background
2.  Procedures
     a) Internal to UVA ESI Request Procedures
     b) External to UVA ESI Request Procedures
     c) All Other ESI Requests
3.  Definitions
4.  Related Links
5.  Further Guidance
6.  Exceptions

[Return to Library]

1. Purpose and Background

Investigations and/or business continuity issues sometimes require access to electronic communications and files stored on University systems outside of access that occurs in the approved day-to-day business of the University or is publically available.  Access to such electronically stored information (ESI) will only be done with proper approvals from authorizing UVA officials as listed below and in compliance with both the Privacy and Confidentiality of University Information (IRM-012) and the Data Protection of University Information (IRM-003) policies. This procedure and its associated Electronically Stored Information Release standard applies to anyone managing or seeking access to content from the electronic communications and files of others stored on University systems and IT resources.

[Table of Contents]

2. Procedures

Internal to UVA ESI Request Procedures

Procedures for ESI requests that originate from within the University community may vary according to the authorizing official, and may be subject to additional approvals depending on the nature of the information requested.  Note: Requests for ESI may be subject to additional review by the Office of University Counsel prior to release.

The Information Security office coordinates ESI request for approvals for Agency 207. The University Information Security (In) office also assumes the lead coordination role in any requests for ESI on central IT systems.  Requests for ESI may be directed to the InfoSec office at it-policy@virginia.edu.and should include the purpose and subject of the request.  Requestors are encouraged to be as specific as possible and to limit the scope of the electronic information being requested to that which is most relevant to the request.  Providing specific details will speed delivery and enhance the accuracy and pertinence of information released. Requesting ESI that spans a larger time period or involves more subjects than needed may lengthen the request turnaround time and expand the volume of the information received in a manner that precludes usefulness.  Procedures for various ESI request scenarios coordinated by the University Information Security office are detailed below.

Employee Investigations and Business Continuity-Related ESI Requests

University administrators investigating incidents as part of a disciplinary processes or dealing with business continuity issues needing access to ESI (such as departmentally-managed file shares, UVaBox files or email messages) will need to obtain appropriate authorization. The approval to access a user's ESI is required by the Privacy and Confidentiality of University Information (IRM-012) policy.  Such access requires official University review and an authorizing official who is the president or the relevant vice president (or delegate) responsible for the affected user's area.  The process is as follows:

  • The requestor should contact the InfoSec office at it-policy@virginia.edu and provide a description of, and rationale for, the request and instruction as to whom shall receive the ESI.
  • The appropriate authorizing official must email their approval directly to it-policy.  It is helpful it if includes the original requestor's email.
  • The University Information Security office will then review and if appropriate, coordinate the release of the ESI.

Student Investigation-Related ESI Requests

Approvals for ESI related to the University's Policy on Sexual and Gender-Based Harassment and Other Forms of Interpersonal Violence, or to individual student academic investigations are reviewed and approved by the University's Vice President and Chief Student Affairs Officer or designee(s).  Approval for any other requests involving a student’s ESI are issued by the Office of the Dean of Students in coordination with the Office of University Counsel and the University Information Security office.

If the request involves a student’s ESI:

  • The requestor should contact the Office of the Dean of Students (ODOS) by emailing ODOS@virginia.edu or calling 434-924-7133 OR the University Information Security (InfoSec) office at it-policy@virginia.edu and provide both a detailed description of the ESI release and instruction as to whom shall receive the ESI
  • The InfoSec office will then coordinate the release of the ESI, once the appropriate authorizing official has approved the release.

Automatic Replies, Redirects, and Email Access Requests

The president, vice-president, VP, dean, or designee responsible for the department or area with which the affected user is primarily affiliated must approve access to the stored email within a user's account. 

Approvals for setting another user’s automatic email reply message or to temporarily cut off a particular user’s access (e.g., to email) must come from the authorizing official or designee directly responsible for the department or area (e.g., department chair) with which the affected user is primarily affiliated, or from University Human Resources. 

Note:  Access to another user’s email, either via auto-forwarding, inbox sharing, or any other method may not be authorized by anyone other than the individual to whom the account is assigned.

The process to request approval is as follows:

  • The requestor should contact the University Information Security office at it-policy@virginia.edu and provide a description of, and rationale for, the request. 
    If the request is for blocking email account access, or for an automatic reply, please include the wording and alternate contact information to be put into an automatic email reply message.
  • The appropriate authorizing official must email their approval directly to it-policy.  It is helpful it if includes the original requestor's email.
  • The InfoSec office will then review and, if appropriate, coordinate the implementation of the request.

Requests for ESI of a Deceased Person

Requests for access to a deceased user’s ESI that is in the custody of the University requires the prior written consent of the deceased individual concerned or be allowed or required by law or legal requests (e.g. Freedom of Information Act (FOIA), Uniform Fiduciary Access to Digital Assets Act (UFADA)).   Such requests should be sent to either the University's Vice-President and Chief Student Affairs Officer (or designee) or the University Information Security office (by emailing it-policy@virginia.edu).  Such requests will be reviewed in consultation with the University Counsel’s office, for compliance with applicable laws, such as the Uniform Fiduciary Access to Digital Assets Act (UFADA).  Approvals for business continuity-related requests for this type of ESI requires official University review and approval by the President or the relevant vice president (or delegate) responsible for the affected user's department or area.  Such requests should be initiated in the same manner as detailed above for Business Continuity-Related ESI Requests.

Non-Content and Day-to-Day ESI Requests

Some access and requests do not require approval, per the Privacy and Confidentiality of University Information (IRM-012) policy.   Some examples are:

  • Most security tests of IT resources, as they do not constitute monitoring or review of a user's ESI.
  • Reviews of attempted access to systems by anyone not authorized to use them.
  • Reviews of records of the telephone numbers employees call using the University's long-distance telephone system.
  • Requests for access to certain ESI by members of the University community that

1. do not involve access to a user’s communications or files (such as IT-related requests for an IP address associated with computer access or a computer's Ethernet Hardware Address (EHA) or Media Access Control (MAC) address and its associated user) and

                        a. is required for the performance of regular job duties,

                        b. and/or is obtained by tools that have been previously approved.

System administrators and similar IT personnel who receive requests that do not involve a users’ files or communications (e.g., logs of login and/or access of a IT resource) must refer such requests to the InfoSec office at it-policy@virginia.edu for coordination of the approval review and, if approval is granted, the release of the requested information.

Most security tests of IT resources do not constitute monitoring or review of employee electronic communications or files. Consequently, presidential or vice-presidential authorization is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords that users select. 

In no case should users reveal their passwords to anyone, including to system administrators and/or supervisors.

Medical Center (Agency 209) ESI Requests 

The Health and Information Technology department coordinates ESI requests for approval.

College at Wise (Agency 246) ESI Requests

The Office of Information Technology at UVA Wise coordinates Agency 246 ESI requests for approval.

Virginia Freedom of Information Act (FOIA) ESI Requests

Requests pursuant to the Virginia Freedom of Information Act (FOIA) should be directed to University Communications. More information on making FOIA requests can be found at www.virginia.edu/foia.

Family Education Rights and Privacy Act (FERPA) ESI Requests

Requests for student information pursuant to the Family Education Rights and Privacy Act (FERPA) should be directed to the University Registrar.

Note:  All officials releasing ESI must recognize the potentially sensitive nature of content that is found during the course of an investigation. Reports and findings must be kept confidential, consistent with the rules of the disciplinary bodies involved.

External to UVA ESI Request Procedures

ESI requests originating from outside the University community, such as requests from law enforcement or from government officials, will typically need to be accompanied by legal orders (such as search warrants or subpoenas).  Some federal legislation requires additional processes. However, all requests must go to the Office of University Counsel for review. Any employee of the University, who receives such a request, should refer the requestor to the Office of University Counsel.   Their address is:

University of Virginia
Madison Hall, Third Floor
P.O. Box 400225
Charlottesville, Virginia 22904-4225
Phone 434-924-3586
Fax 434-982-3020

All Other ESI Requests

If you have questions about what ESI is available and/or how to make a request not answered by the above information, please contact the University Information Security office at it-policy@virginia.edu.

[Table of Contents]

3. Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Further Guidance

[Table of Contents]

6. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Security Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form