Information Technology

Privacy of Personally Created Content

Policy:  Privacy of Personally Created Content
Dept. Responsible: Information Technology
Effective Date: March 1, 2010
Revised Date: December 20, 2009

Overview

Butler University cherishes the freedom of expression, the diversity of values and perspectives inherent in an academic institution, and the value of privacy for all members of its community. We do not condone censorship nor do we routinely access or inspect data stored on Butler systems and devices. However, these values and rights must be balanced against the legal obligations of the University, as well as with the needs of the larger community.

At times, legitimate reasons exist for persons other than the account holder to access computers, computer files, or network traffic stored on or passing through Butler Systems. This policy endeavors to balance the privacy of the individual while protecting the University and the community it serves.

Scope

This policy applies to all users of Butler University's computer and voice systems (hereafter referred to as "Butler Systems"): This includes all computer systems, Butler provided devices, data storage, related communication technologies, and information transmitted or maintained on these technologies.  It also applies to personal content created by faculty, staff, and students using Butler's Systems.

Policy Statement

1) Data stored on Butler Systems will not be accessed by anyone other than:

  1. The account holder;
  2. The originator or recipient of a communication; or
  3. The person assigned a computer system or technology on which data is stored EXCEPT in the specific circumstances outlined in this policy

2) What is covered:

  1. Data and other files, including electronic mail and voicemail, stored on, encrypted on, or in transit to or from individual computer or voicemail accounts;
  2. University owned or managed systems;
  3. University owned computers and related technologies assigned to individuals or groups; and
  4. University data and files on personally owned and other devices.

3) Reasons to access user data or systems by University personnel other than the account holder

  1. Situations that require written authorization of account holder or applicable VP (or President), Executive Director or College Dean:
    1. Critical operational necessity - information needed for critical operation and the person is unavailable (terminated, incapacitated, unreachable, unwilling, or deceased).
    2. Reasonable cause for investigation - evidence that reasonably causes the University to conclude that the user may be engaging in or may be planning to engage in a violation of law or University policy.
    3. Response to lawful demand - subpoena, warrant or legal order.
    4. Request on behalf of parents or the estate of a deceased student.
    5. Substantial University risk of harm or liability.
    6. When permission is given by account holder.
  2. Situations that do not require written authorization:
    1. Emergency problem resolution - when an Information Technology (IT) technician has reasonable belief that a program/process will cause significant system or network degradation, or could cause loss/damage to data.
    2. Collaborative information or resources - systems/data that by their nature are not private - e.g. shared computers, documents, folders.
    3. Content neutral system generated information - information generated by systems that helps maintain storage, performance and security of systems.
    4. Network communications - IT staff may observe, capture and analyze network communication to ensure security and reliability of network.
    5. Implied consent - situation where user has requested assistance in diagnosing or solving a technical problem.
    6. System administrative need - normal data backup, upgrade, or problem resolution.

4) Procedure for accessing and reviewing personal data

  1. Accessing data - Procedure for accessing data or systems requiring written permission:
    1. Request: Appropriate party as designated in section 3 a above will make request in writing outlining the scope of the information needed along with rationale for accessing system/data, and will present that to the Chief Information Officer (CIO) in the Information Technology department.
    2. Approval:
      1. CIO will carefully review the request to access or review personal data and validate that the request meets the criteria outlined in section 3 a above.
      2. CIO will consult with and obtain approval from a third party senior leader outside the area initiating the request (e.g., Executive Director of HR, Provost, VP Student Affairs, College Dean, President).  However, in the case of a request to access the account of a Butler staff member under section 3 a i above, no third party approval will be required.
      3. In the CIO's absence, the Information Technology director designated as the acting CIO will handle the request on behalf of the CIO; the CIO will then be informed and consulted as soon as practical.
      4. If there is disagreement between requestor, CIO and the third party, the President will act as the final arbiter.
    3. Access: CIO will always go through a system administrator to gain access to data.
    4. Notification: CIO or designee will make a reasonable effort to report access of data to account holder prior to access except:
      1. When doing so may result in the destruction, removal or alteration of data;
      2. When prior notice is not practical due to urgency; or
      3. When other circumstances make prior notice inappropriate or impractical.
      When prior notice is not appropriate or practical, reasonable efforts will be made to notify affected individual as soon as practical following access unless other circumstances make follow up inappropriate.
  2. Reviewing data - Procedure for reviewing data or systems requiring written permission:
    1. Review:  Data obtained for a request will be reviewed by the fewest individuals practical in order to meet the required need.  This will generally be the requesting VP or Executive Director or College Dean or a third party (e.g., HR, BUPD, Provost Office, Student Affairs, Legal Counsel).
    2. Share findings: The person whose files or systems were accessed may request to have the findings shared with them.
  3. Reporting:
    1. Information Technology will maintain a confidential record of all requests for access to data or systems under section 3 a of this policy.
    2. In the spirit of disclosure, the CIO will make an annual report, in the fall, to the Information Management Council (IMC) of any requests to access data or systems under the provisions of section 3a of this policy.
      1. The report will cover any and all investigations which have been closed since the previous report.
      2. This information will be provided to the IMC on a confidential basis and members agree to maintain confidentiality of such information.
      3. The events will be in a redacted format to protect the privacy of individuals; however, for each account accessed under this policy, the report will include at a minimum:
        • General classification of the account holder(s):  faculty, staff, student, affiliate.
        • Incident timeframe as defined by:  fall semester, spring semester, summer.
        • Section(s) of this policy which allowed the access and thus a broad sense of reasons.
        • Name of third party who reviewed the request pursuant to section 4.1.2 of this policy.
        • Disposition of request:  completed or rejected.
        • The report will not include:  specific account names, specific reasons, or the specific person making the request.
      4. Accounts that are involved in an ongoing investigation will be reported to the IMC in the reporting cycle immediately following the close of the investigation.
      5. IMC meeting minutes will reflect the production of the report and whether the committee feels that the reported actions appear to be in compliance with this policy.
      6. In the interest of maintaining confidentiality, should any member of the IMC have questions regarding specific incidents in the CIO's report, he/she will need to follow up solely with the CIO, the reviewer of the request or the University President.  A committee member may also communicate a concern through the University's EthicsPoint Fraud and Improper Conduct telephone hotline or on the My.Butler EthicsPoint Reporting website, both of which are monitored by the Board of Trustees.

Administration

The oversight of this policy is the responsibility of the President and CIO, and should be reviewed annually.

Related Policies

Revision History

Approved by the Board of Trustees, February 26, 2010
Approved by Sr. Administrative Group: January 19, 2010
Approved by the Information Management Council: December 20, 2009
Created: 12/20/2009 as complete rewrite from Computer Use Policy, June 2002