The University intends that authorization for non-law-enforcement University personnel to monitor or review electronic communications or files of employees, including faculty and staff, will not be granted casually. Such authorization will require justification based on business needs or on sufficient cause from reasonably substantiated allegations of violation of law or policy on the part of the faculty or staff member. Authorization may be granted by the University president or a vice president (or equivalent) responsible for the affected employee.
Investigations of Violations of Law or Policy
Requests for authorization to monitor or review electronic communications or files because of allegations of violations of policy or law by faculty or staff members usually originate with supervisors. They may also originate with an investigatory authority such as the Director of Equal Opportunity Programs (looking into a sexual harassment claim, for example). A vice president who is asked to consider authorization for monitoring or reviewing the electronic communications or files of an employee must use his or her judgment in determining if there is sufficient reason to grant such authorization. In these situations, the University expects the vice president to maintain confidentiality and to consult with the Office of the General Counsel in determining whether to authorize monitoring or review and in determining if the affected employee or anyone else should be notified that the monitoring or review is taking place.
Examples of business needs include but are not limited to:
• the need to have access to the e-mail of an employee who is unexpectedly unavailable and who is conducting time-sensitive negotiations with an outside entity
• negotiations of sufficient importance to justify review of the employee's electronic communications and files when that employee is unable to give consent for that review
• an urgent and sufficiently serious issue of health or safety.
Often it will be desirable for the University to exercise diligence in enlisting the help of the employee to extract the business materials and in considering other steps to respect the personal nature of any other materials present if that help is unavailable. Such steps may include the use of an independent confidential reviewer -- a person on the University staff who does not have supervisory or management responsibilities for the employee whose materials are being reviewed -- to extract the business materials.
Circumstances Not Requiring Authorization
Most security tests of computing systems do not constitute monitoring or review of employee electronic communications or files. Consequently, presidential or vice-presidential authorization is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords its employees select. In no case, of course, should employees reveal their passwords to anyone, including their system administrators. This testing is aimed at revealing weak or "guessable" passwords, and the appropriate action in responding to identification of a weak password is for the employee to change it immediately.
Similarly, presidential or vice-presidential authorization is not required for appropriate University staff to review attempted access of its systems by persons (employees or others) not authorized to use them.
Presidential or vice-presidential authorization is also not required for review by appropriate University staff of records of the numbers employees call using the University's long-distance telephone system. Such reviews are routinely conducted as part of an Internal Audit review.