Supervisors are responsible for establishing and maintaining appropriate procedures to protect the security of electronic files and systems. Employees are charged to keep their passwords secure, and supervisors may not override or force the disclosure of personal passwords. However, passwords may be reset by Information Technology Services (ITS) or Health Care Information Systems (HCIS) for a supervisor in exceptional circumstances including situations where there is an emergent business need to obtain file access and the employee is unavailable to provide direct access. Even so, once the emergent need has subsided, the password should be immediately restored the previous level of security.

Members of the university community are strongly encouraged to report violations of university policy to the appropriate recipient, as indicated below.

• Faculty and Staff - report violations to their supervisor or unit HR representative.
• Student - report violations to the Office of the Vice President for Student Life
• In the case of information technology (IT) resources, violations should be reported to the Information Security and Policy Office (ISPO) or Health Care Information Systems.

Those who choose to remain anonymous may report violations through the use of EthicsPoint®.

Where violations of law are alleged, the Department of Public Safety (DPS) and/or the Office of the General Counsel (OGC) should be contacted. Good faith reports of violations are protected from retaliatory action by the university’s Anti-Retaliation Policy.

While the acceptable use policy balances the privacy interest of employees, its application also requires us to recognize different levels of privacy. For example, electronic files stored in a shared network drive, normally accessible by multiple users, do not carry an expectation of privacy with other users of the shared drive. In contrast, files that are password-protected on an individual home drive on a server, on a personal device, or on the hard drive of a single user machine may carry a heightened expectation of privacy and therefore, supervisor access may require authorization. Such differences in user expectations are reflected in the procedures for inspections and monitoring of information technology resources which are established in the acceptable use policy.

Technical staff members who provide service and support are responsible for detecting anomalies such as noticeable disparities or changes in personal storage space requirements, equipment malfunctions, problematic file names or file types, or other discoveries that may indicate inappropriate use. Such discoveries are not construed as breaching an individual’s privacy unless file contents are reviewed without appropriate authorization. Technical staff members are expected to troubleshoot anomalies, and are expected to report suspected violations of law or policy.

ISPO is charged to perform network security vulnerability scans, manage security incident response activities including the forensic analysis of compromised machines, and engage in other activities to assist with the secure use of information technology. These activities are required for the secure provision of service.

Similarly, the ITS Telephone and Voice Services and UI Health Care Telephone System log network activity, monitor general usage patterns, and perform other such activities that are necessary for the provision of network service.

Restrictions 

The acceptable use policy establishes a procedure for searches of electronic files or drives based upon a suspected violation of university policy or law. The request must be evaluated in consultation by the following departments/officials:

• Information Security and Policy Office (ISPO)
• Office of the General Counsel (OGC)
• University Human Resources (UHR), and
• other university officials on a case-by-case basis.

Individual supervisors are prohibited from conducting searches of the contents of electronic files and drives which are password-protected without approval from the Chief Information Security Officer (CISO).

Procedures

As with other types of discipline issues, supervisors are advised to consult with their unit HR representatives and/or the senior HR leader in their college or division. If inspection or monitoring is contemplated, UHR Employee and Labor Relations or UI Health Care HR should be consulted.

Depending on the situation, UHR or UI Health Care HR will consult with the ISPO. If appropriate, HR staff will then make a request for inspection or monitoring. In relation to the timeliness of any request, consideration may be given to interim measures necessary to preserve evidence or to protect individuals and property. Specific parameters will be established in each case and will be maintained by the ISPO in consultation with OGC. Once complete, the staff member will be informed of the procedures implemented as determined by the ISPO.

DPS may also access and inspect electronic files and records as part of a criminal investigation in coordination with the ISPO.