The University’s Policy on the Acceptable Use of Information Technology Resources was established to recognize and balance a number of interests that may at times be in conflict with one another. The policy seeks to protect the fulfillment of the University’s threefold mission of teaching, research and service, while also balancing the rights of intellectual freedom, freedom of thought and expression and the privacy interests of faculty and staff members.
The implementation of this policy often integrates the application of other policies, such as the Ethics and Responsibility Statements for Faculty and Staff, the Human Rights Policies, the Policy on Sexual Harassment, Anti-Harassment, Anti-Retaliation, and federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Family Education Rights and Privacy Act (FERPA) and other regulations and policies governing the conduct of the University community. Implementation of the Acceptable Use Policy raises some unique issues that will be addressed here.
Supervisors are responsible for establishing and maintaining appropriate procedures to protect the security of electronic files and systems. Employees are charged to keep their passwords secure and supervisors may not override or force the disclosure of personal passwords. However, passwords may be reset by Information Technology Services (ITS) or Health Care Information Systems (HCIS) for a supervisor in exceptional circumstances including situations where there is an emergent business need to obtain file access and the employee is unavailable to provide direct access. Even so, once the emergent need has subsided, the password should be changed immediately to restore the previous level of security.
Members of the University community are strongly encouraged to report violations of University policy to their supervisor, Human Resource Representative, or in the case of information technology resources, to the University Information Security Officer or Health Care Information Systems offices, or in the case of a student, to the Office of the Vice President for Student Life. Anonymous reports of misuse of University resources may also be made through the use of EthicsPoint®. Where violations of law are alleged, University Public Safety and/or Office of the General Counsel should be contacted. Good faith reports of violations are protected from retaliatory action by the University’s Anti-Retaliation Policy.
While the Acceptable Use Policy balances the privacy interest of employees, its application also requires us to recognize different levels of privacy. For example, electronic files stored in a shared network drive, normally accessible by multiple users, do not carry an expectation of privacy with other users of the shared drive. In contrast, files that are password-protected on an individual home drive on a server, on a personal device or on the hard drive of a single user machine may carry a heightened expectation of privacy and therefore, supervisor access may require authorization. Such differences in user expectations are reflected in the procedures for inspections and monitoring of information technology resources which are established in the Acceptable Use Policy.
Unless further restricted by department or unit based policies, the Acceptable Use Policy does not prohibit all personal use. Rather, limited personal use is permitted unless it interferes with productivity, violates other University policies, results in additional expense to the University, or otherwise interferes or compromises the intended University use or achievement of the University mission. As the policy is structured, personal use alone cannot generally be used as evidence of a technology policy violation, unless it exceeds the “de minimus” threshold established in the policy, or is tied to evidence of a policy violation or evidence of unsatisfactory productivity. Personal use, as a reflection of time and effort, must be put into a context with other measures. Supervisors are advised to focus on productivity, performance expectations or potential violation of University policies, rather than focus on the use of technology.
If you need help developing a department or unit-based policy contact University Employee and Labor Relations for advice and assistance.
It should also be noted that as University records, materials generated through personal use may be subject to disclosure by the University without the individual’s permission through subpoenas or other court orders, reasonable legal discovery or through request for records under the Iowa public records law.
Scanning and Monitoring versus Searching
Technical staff members who provide service and support are responsible for detecting anomalies such as noticeable disparities or changes in personal storage space requirements, equipment malfunctions, problematic file names or file types, or other discoveries that may indicate inappropriate use. Such discoveries are not construed as breaching an individual’s privacy unless file contents are reviewed without appropriate authorization. Technical staff members are expected to troubleshoot anomalies, and are expected to report suspected violations of law or policy.
The Information Security and Policy Office is charged to perform network security vulnerability scans, manage security incident response activities including the forensic analysis of compromised machines, and engage in other activities to assist with the secure use of information technology. These activities are required for the secure provision of service.
Similarly, the ITS Telecommunications and Networking Services and UI Health Care Information Systems Telecommunications departments log network activity, monitor general usage patterns, and perform other such activities that are necessary for the provision of network service.
Restrictions on Inspections and Monitoring
The Acceptable Use Policy establishes a procedure for searches of electronic files or drives, based upon a suspected violation of University policy or law. The request must be evaluated by the University IT Security Officer, working in consultation with the Office of the General Counsel, University Human Resources and other University officials on a case-by-case basis. Individual supervisors are prohibited from conducting searches of the contents of electronic files and drives which are password-protected without approval from the University IT Security Officer.
Procedure for Inspection or Monitoring
As with other types of discipline issues, supervisors are advised to consult with their local Human Resources Representative and/or Senior Human Resources Leader in their college or division. If inspection or monitoring is contemplated, University Human Resources/Employee and Labor Relations or UI Health Care Human Resources should be consulted.
Depending on the situation, University Human Resources will then consult with the University IT Security Officer or UI Health Care Human Resources will then consult with the Health Care Information Systems Security Manager. If appropriate, Human Resources will then make a request for inspection or monitoring. In relation to the timeliness of any request, consideration may be given to interim measures necessary to preserve evidence or to protect individuals and property. Specific parameters will be established in each case and will be maintained by the University Information Security Officer in consultation with the Office of the General Counsel. Once complete, the staff member will be informed of the procedures implemented as determined by the Information Security and Policy Office.
The University Department of Public Safety may also access and inspect electronic files and records as part of a criminal investigation in coordination with the Information Security and Policy Office.
In addition to the written University policies, specifically the Policy on the Acceptable Use of Technology Resources, supervisors should consult with the following resources:
- their Unit Human Resource Representative,
- their College/Division Senior Human Resource Leader,
- University Employee and Labor Relations,
- the Information Security and Policy Office, and
- Office of the General Counsel