The University’s Policy on the Acceptable Use of Information Technology Resources was established to recognize and balance a number of interests that may at times be in conflict with one another. The policy seeks to protect the fulfillment of the University’s threefold mission of teaching, research, and service, while also balancing the rights of intellectual freedom, freedom of thought and expression, and the privacy interests of faculty and staff members.
The implementation of this policy often integrates the application of other policies, such as:
- Ethics and Responsibility Statements for Faculty and Staff,
- Human Rights
- Sexual Harassment and Sexual Misconduct
- Anti-Harassment
- Anti-Retaliation
- federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) (reference II.19.4(d)), the Family Education Rights and Privacy Act (FERPA) (reference II.19.4(d)), and
- other regulations and policies governing the conduct of the university community.
Please see IT Security's Policies, Standards, & Guidelines page for additional detail on the requirements of the Acceptable Use Policy.
Implementation of the acceptable use policy raises some unique issues that will be addressed here
Supervisors are responsible for establishing and maintaining appropriate procedures to protect the security of electronic files and systems. Employees are charged to keep their passwords secure, and supervisors may not override or force the disclosure of personal passwords. However, passwords may be reset by Information Technology Services (ITS) or Health Care Information Systems (HCIS) for a supervisor in exceptional circumstances including situations where there is an emergent business need to obtain file access and the employee is unavailable to provide direct access. Even so, once the emergent need has subsided, the password should be immediately restored the previous level of security.
Members of the university community are strongly encouraged to report violations of university policy to the appropriate recipient, as indicated below.
- Faculty and Staff - report violations to their supervisor or unit HR representative.
- Student - report violations to the Office of the Vice President for Student Life
- In the case of information technology (IT) resources, violations should be reported to the Information Security and Policy Office (ISPO) or Health Care Information Systems.
Those who choose to remain anonymous may report violations through the use of EthicsPoint®.
Where violations of law are alleged, the Department of Public Safety (DPS) and/or the Office of the General Counsel (OGC) should be contacted. Good faith reports of violations are protected from retaliatory action by the university’s Anti-Retaliation Policy.
While the acceptable use policy balances the privacy interest of employees, its application also requires us to recognize different levels of privacy. For example, electronic files stored in a shared network drive, normally accessible by multiple users, do not carry an expectation of privacy with other users of the shared drive. In contrast, files that are password-protected on an individual home drive on a server, on a personal device, or on the hard drive of a single user machine may carry a heightened expectation of privacy and therefore, supervisor access may require authorization. Such differences in user expectations are reflected in the procedures for inspections and monitoring of information technology resources which are established in the acceptable use policy.
Technical staff members who provide service and support are responsible for detecting anomalies such as noticeable disparities or changes in personal storage space requirements, equipment malfunctions, problematic file names or file types, or other discoveries that may indicate inappropriate use. Such discoveries are not construed as breaching an individual’s privacy unless file contents are reviewed without appropriate authorization. Technical staff members are expected to troubleshoot anomalies, and are expected to report suspected violations of law or policy.
ISPO is charged to perform network security vulnerability scans, manage security incident response activities including the forensic analysis of compromised machines, and engage in other activities to assist with the secure use of information technology. These activities are required for the secure provision of service.
Similarly, the ITS Telephone and Voice Services and UI Health Care Telephone System log network activity, monitor general usage patterns, and perform other such activities that are necessary for the provision of network service.
Restrictions
The acceptable use policy establishes a procedure for searches of electronic files or drives based upon a suspected violation of university policy or law. The request must be evaluated in consultation by the following departments/officials:
- Information Security and Policy Office (ISPO)
- Office of the General Counsel (OGC)
- University Human Resources (UHR), and
- other university officials on a case-by-case basis.
Individual supervisors are prohibited from conducting searches of the contents of electronic files and drives which are password-protected without approval from the Chief Information Security Officer (CISO).
Procedures
As with other types of discipline issues, supervisors are advised to consult with their unit HR representatives and/or the senior HR leader in their college or division. If inspection or monitoring is contemplated, UHR Employee and Labor Relations or UI Health Care HR should be consulted.
Depending on the situation, UHR or UI Health Care HR will consult with the ISPO. If appropriate, HR staff will then make a request for inspection or monitoring. In relation to the timeliness of any request, consideration may be given to interim measures necessary to preserve evidence or to protect individuals and property. Specific parameters will be established in each case and will be maintained by the ISPO in consultation with OGC. Once complete, the staff member will be informed of the procedures implemented as determined by the ISPO.
DPS may also access and inspect electronic files and records as part of a criminal investigation in coordination with the ISPO.
Resources
In addition to the written university policies, specifically the Policy on the Acceptable Use of Technology Resources, supervisors should consult with the following resources: