The authorization for University personnel or entities external to the University to monitor or review the electronically stored information (ESI), including the email communications or data files of students and employees, is not granted casually. Such authorization will require formal approval and justification based on permissions granted by the account holder, business needs, or by reasonably substantiated allegations of violation of law or policy on the part of the student(s), faculty, or staff member(s) whose information is to be reviewed. This document provides guidance to the UVa Privacy and Confidentiality of University Information (IRM-012) policy, the Electronically Stored Information Release Standard and the associated Electronically Stored Information Release Procedures.
Investigations of Violations of Law or Policy
Requests for authorization to monitor or review electronic communications usually originate with supervisors, University human resources staff, or Dean of Student representatives. They may also originate with an investigatory authority such as the director of the office for Equal Opportunity and Civil Rights (looking into a sexual harassment claim, for example) or the University's Research Integrity Officer (RIO). The authorizing official, who may be a vice president or designee who is asked to consider approving the monitoring or reviewing of the electronic communications or files of an employee must use their judgment in determining whether there is sufficient reason to grant such approval. In these situations, the authorizing official must maintain confidentiality and is strongly urged to consult with University Counsel in determining whether to approve the monitoring or review and in determining if the affected employee or anyone else should be notified that the monitoring or review is taking place.
Business Continuity-Related Requests for ESI
Examples of business continuity requests to access employee or student electronic communications include but are not limited to:
• access to a former employee's email account for the purpose of determining whether any unanswered and time-sensitive email communications directed to the former employee require a response
• negotiations of sufficient importance to justify review of the employee's electronic communications and files when that employee is unavailable to give consent for that review
• an urgent and sufficiently serious issue with health, safety, or legal implications
In many cases, rather than the authorizing official granting unfettered access to the account(s) in question, it is preferred that the requestor exercise due diligence in directly enlisting the help of the account owner(s) to extract the necessary business materials or to consider other steps to maintain the privacy of unrelated and/or personal materials contained within the account. Other possibilities for review may include obtaining assistance from an independent reviewer who does not have supervisory, teaching, or management responsibilities over the person whose materials are being reviewed.
To initiate a business continuity request, consult the associated Electronically Stored Information Release Procedures.
The Commonwealth of Virginia's Uniform Fiduciary Access to Digital Assets Act (UFADA)) requires that the University not grant access to data from a deceased user’s electronically stored information (e.g., email) in the custody of the University without the prior written consent of the deceased individual concerned or unless allowed or required by law or legal requests. Such requests should be directed to UVA's Records and Information Management (RIM) office by submitting their Request for Electronically Stored Information (ESI) in ServiceNow.
Other ESI Request Guidance
Medical Center (Agency 209) ESI Requests
The Health and Information Technology department coordinates ESI requests for approval.
College at Wise (Agency 246) ESI Requests
The Office of Information Technology at UVA Wise coordinates Agency 246 ESI requests for approval.
Virginia Freedom of Information Act (FOIA) ESI Requests
Requests pursuant to the Virginia Freedom of Information Act (FOIA) should be directed to University Communications. More information on making FOIA requests can be found at www.virginia.edu/foia.
Family Education Rights and Privacy Act (FERPA) ESI Requests
Requests for student information pursuant to the Family Education Rights and Privacy Act (FERPA) should be directed to the University Registrar (link to https://www.virginia.edu/registrar/accessacadrecord.html).
Note: All officials releasing ESI must recognize the potentially sensitive nature of content that is found during the course of an investigation. Reports and findings must be kept confidential, consistent with the rules of the disciplinary bodies involved.
Circumstances Not Requiring Authorization
Most security tests of computing systems do not constitute monitoring or review of employee electronic communications or files. Consequently, authorization is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords that students or employees may select. Under no circumstances should employees reveal account passwords to anyone, including to system administrators, LSPs, or supervisors. This testing is aimed at revealing weak or "guessable" passwords, and the appropriate action in responding to identification of a weak password is for the employee or student to change it immediately.
Similarly, authorization is not required for appropriate University staff to review attempted access of its systems by persons (employees or others) not authorized to use them. In addition, authorization is also not required for review by appropriate University staff of records of the numbers employees call using the University's long-distance telephone system. Such reviews are routinely conducted as part of an Audit department review.
All Other ESI Requests
If you have questions about what ESI is available and/or how to make a request not answered by the above information, please contact the Records and Information Management (RIM) office by submitting their Request for Electronically Stored Information (ESI) in ServiceNow or emailing them at email@example.com
REVISION HISTORY: June 10, 2021