Search Information Security site


Monitoring and Review of Employee Electronic Communications or Files

Effective Date is 10/03/01.


Defines University policy on institutional monitoring or review of the content of employee electronic communications or employee electronic files.

Policy Text

The Commonwealth of Virginia's Human Resource Policy 1.75 contains the following statement: "No user should have any expectation of privacy in any message, file, image or data created, sent, retrieved or received by use of the Commonwealth's equipment and/or access." The policy states that Virginia agencies, including its institutions of higher education, have "the right to monitor any and all aspects of their computer systems" and to do so "at any time, without notice, and without the user's permission." The policy applies to all state employees, including faculty and staff of the University of Virginia.

The University holds as core values the principles of academic freedom and free expression. In consideration of these principles, the University will not monitor the content of electronic communications of its employees in most instances, nor will it examine the content of employee electronic communications or other employee electronic files stored on its systems except under certain circumstances. In this context, "electronic communications" includes telephone communications, so-called "phone mail," e-mail, and computer files traversing the University network or stored on University equipment.

Examples of when monitoring and/or review may occur include, but are not limited to, the following circumstances:

  • communications or files targeted by orders of a court of law or requested in accord with the Virginia Freedom of Information Act.
  • supervisor and/or Internal Audit review of University telephone system long-distance call records.
  • electronic communications or files that have been inadvertently exposed to technical staff who are operating in good faith to resolve technical problems. When technical staff inadvertently see or hear potentially illegal content in communications or files, they are required to report what they have seen or heard to appropriate authorities. Otherwise, the University expects technical staff to treat inadvertently encountered electronic communications and files of University employees as confidential and not subject to disclosure to anyone.
  • routine administrative functions, such as security tests of computing systems, including password testing by system administrators to identify guessable passwords, and investigations of attempted access into systems by unauthorized persons (system administrators and other technical staff will not access employees' electronic communications or files while performing these functions).
  • situations such as:
    • an investigation into allegations of violations of law or policy
    • an urgent need for access to University business documents when an employee is unavailable

    Such situations will be specifically reviewed by and approved by the president or the vice president (or equivalent) responsible for the affected employee(s).

  • for some units of the University, routine monitoring or examination of employee electronic communications or files as part of the work environment. Such routines must be approved by the relevant vice president (or equivalent), and affected employees must be informed in advance that such monitoring or examination will be taking place.

This policy does not mean that the University has lower expectations for its employees' behavior. It expects University employees to obey all applicable policies and laws in the use of computing and communications technologies.

This policy shall not be interpreted as requiring public disclosure of confidential and privileged attorney-client communications with the University's Office of General Counsel (or other duly appointed legal counsel for the University) seeking or providing legal guidance for or on behalf of the University of Virginia.

See related Guidance document.

Revisions: None

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form