Electronically Stored Information Release Procedures

Table of Contents

1.  Purpose and Background
2.  Procedures
     a) Internal to UVA ESI Request Procedures
     b) External to UVA ESI Request Procedures
     c) All Other ESI Requests
3.  Definitions
4.  Related Links
5.  Further Guidance
6.  Exceptions

REVISION HISTORY: September 12, 2022April 15, 2021

[Return to Library]

1. Purpose and Background

Investigations and/or business continuity issues sometimes require access to electronic communications and files stored on University systems outside of access that occurs in the approved day-to-day business of the University or is publicly available.  Access to such electronically stored information (ESI) will only be done with proper approvals from authorizing UVA officials as listed below and in compliance with both the Privacy and Confidentiality of University Information (IRM-012) and the Data Protection of University Information (IRM-003) policies. This procedure and its associated Electronically Stored Information Release standard applies to anyone managing or seeking access to content from the electronic communications and files of others stored on University systems and IT resources.

[Table of Contents]

2. Procedures

Internal to UVA ESI Request Procedures

Procedures for ESI requests that originate from within the University community may vary according to the authorizing official, and may be subject to additional approvals depending on the nature of the information requested.  Note: Requests for ESI may be subject to additional review by the Office of University Counsel prior to release.

The Records and Information Management (RIM) office coordinates ESI request for approvals for Agency 207. The The Records and Information Management office also assumes the lead coordination role in any requests for ESI on central IT systems.  Requests for ESI should be directed to the RIM office by submitting their Request for Electronically Stored Information (ESI) in ServiceNow.

Requestors are encouraged to be as specific as possible and to limit the scope of the electronic information being requested to that which is most relevant to the request.  Providing specific details will speed delivery and enhance the accuracy and pertinence of information released. Requesting ESI that spans a larger time period or involves more subjects than needed may lengthen the request turnaround time and expand the volume of the information received in a manner that precludes usefulness.  Procedures for various ESI request scenarios coordinated by the University Records and Information Management office are detailed below.

Employee Investigations and Business Continuity-Related ESI Requests

University administrators investigating incidents as part of a disciplinary processes or dealing with business continuity issues needing access to ESI (such as departmentally-managed file shares, UVaBox files or email messages) will need to obtain appropriate authorization. The approval to access a user's ESI is required by the Privacy and Confidentiality of University Information (IRM-012) policy.  Such access requires official University review and an authorizing official who is the president or the relevant vice president (or delegate) responsible for the affected user's area.  The process is as follows:

Student Investigation-Related ESI Requests

Requests for any records involving a student's ESI are reviewed and approved by the University's Vice President and Chief Student Affairs Officer or designee(s) in coordination with the Office of University Counsel and the Records and Information Management office.

If the request involves a student’s ESI:

Automatic Replies, Redirects, and Email Access Requests

The president, vice-president, VP, dean, or designee responsible for the department or area with which the affected user is primarily affiliated must approve access to the stored email within a user's account. 

Approvals for setting another user’s automatic email reply message or to temporarily cut off a particular user’s access (e.g., to email) must come from the authorizing official or designee directly responsible for the department or area (e.g., department chair) with which the affected user is primarily affiliated, or from University Human Resources. 

Note:  Access to another user’s email, either via auto-forwarding, inbox sharing, or any other method may not be authorized by anyone other than the individual to whom the account is assigned.

The process to request approval is as follows:

  • The requestor should should submit a Request for Electronically Stored Information (ESI) in ServiceNow, providing a description of, and rationale for, the request. 
  • If the request is for blocking email account access or for an automatic reply, please select "Business Continuity" under Request Type and in the text box labelled "Please provide as much information on the other sources as possible" include the wording and alternate contact information to be put into an automatic email reply message.
  • The RIM office will then review and, if appropriate, coordinate the implementation of the request.

Requests for ESI of a Deceased Person

Requests for access to a deceased user’s ESI that is in the custody of the University requires the prior written consent of the deceased individual concerned or be allowed or required by law or legal requests (e.g. Freedom of Information Act (FOIA), Uniform Fiduciary Access to Digital Assets Act (UFADA)).   Such requests should be sent to either the University's Vice-President and Chief Student Affairs Officer (or designee) or the University RIM office by submitting their Request for Electronically Stored Information (ESI) in ServiceNow.  Such requests will be reviewed in consultation with the University Counsel’s office, for compliance with applicable laws, such as the Uniform Fiduciary Access to Digital Assets Act (UFADA).  Approvals for business continuity-related requests for this type of ESI requires official University review and approval by the President or the relevant vice president (or delegate) responsible for the affected user's department or area.  Such requests should be initiated in the same manner as detailed above for Business Continuity-Related ESI Requests.

Non-Content and Day-to-Day ESI Requests

Some access and requests do not require approval, per the Privacy and Confidentiality of University Information (IRM-012) policy.   Some examples are:

  • Most security tests of IT resources, as they do not constitute monitoring or review of a user's ESI.
  • Reviews of attempted access to systems by anyone not authorized to use them.
  • Reviews of records of the telephone numbers employees call using the University's long-distance telephone system.
  • Requests for access to certain ESI by members of the University community that do not involve access to a user’s communications or files (such as IT-related requests for an IP address associated with computer access or a computer's Ethernet Hardware Address (EHA) or Media Access Control (MAC) address and its associated user) and is required for the performance of regular job duties, and/or is obtained by tools that have been previously approved.

System administrators and similar IT personnel who receive requests that do not involve a users’ files or communications (e.g., logs of login, call detail records, and/or access of a IT resource) should start by submitting a Request for Electronically Stored Information (ESI) in ServiceNow. The University RIM office will coordinate of the approval review and, if approval is granted, the release of the requested information.

Most security tests of IT resources do not constitute monitoring or review of employee electronic communications or files. Consequently, presidential or vice-presidential authorization is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords that users select. 

In no case should users reveal their passwords to anyone, including to system administrators and/or supervisors.

Medical Center (Agency 209) ESI Requests 

The Health and Information Technology department coordinates ESI requests for approval.

College at Wise (Agency 246) ESI Requests

The Office of Information Technology at UVA Wise coordinates Agency 246 ESI requests for approval.

Virginia Freedom of Information Act (FOIA) ESI Requests

Requests pursuant to the Virginia Freedom of Information Act (FOIA) should be directed to University Communications. More information on making FOIA requests can be found at www.virginia.edu/foia.

Family Education Rights and Privacy Act (FERPA) ESI Requests

Requests for student information pursuant to the Family Education Rights and Privacy Act (FERPA) should be directed to the University Registrar.

Note:  All officials releasing ESI must recognize the potentially sensitive nature of content that is found during the course of an investigation. Reports and findings must be kept confidential, consistent with the rules of the disciplinary bodies involved.

External to UVA ESI Request Procedures

ESI requests originating from outside the University community, such as requests from law enforcement or from government officials, will typically need to be accompanied by legal orders (such as search warrants or subpoenas).  Some federal legislation requires additional processes. However, all requests must go to the Office of University Counsel for review. Any employee of the University, who receives such a request, should refer the requestor to the Office of University Counsel.   Their address is:

University of Virginia
Madison Hall, Third Floor
P.O. Box 400225
Charlottesville, Virginia 22904-4225
Phone 434-924-3586
Fax 434-982-3020

All Other ESI Requests

If you have questions about what ESI is available and/or how to make a request not answered by the above information, please contact the University RIM office by emailing [email protected].

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Further Guidance

[Table of Contents]

6. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Security Officer