Granting Third Party Access to Individual Electronic Records on College Owned or Leased Computers
The document applies to all electronic records stored on or transmitted by College of William and Mary owned or leased computers including local computer files, network files, email, voicemail, and calendar files.
The Commonwealth of Virginia explicitly states in the Department of Human Resources Management Policy 1.75 that, “No user shall have any expectation of privacy in any message, file, image or data created, sent, retrieved, received, or posted in the use of the Commonwealth’s equipment and/or access.” However, the College does not generally grant third party access to an employee’s electronic records unless there is a compelling situation requiring access. The goal of this document is to clarify the situations that require providing a third party access to individual electronic records and the procedures for provisioning the access.
Generally, there are four (4) situations where a third party requires access to an individual’s electronic records on College owned or leased computers:
1. A supervisor needs access to an individual’s electronic records because the individual is no longer associated with the College and the electronic records are needed to conduct College business.
2. A supervisor needs access to an employee’s electronic records because the employee is on extended leave of absence and the electronic records are needed to conduct College business.
3. A supervisor needs access to an employee’s electronic records because the employee is under disciplinary review and the electronic records are needed to conduct the review.
4. Access to an employee’s electronic records is needed to satisfy a court order or subpoena.
In addition, there are situations where an employee vacates his/her position and a supervisor requests that all new email sent to the former employee's Exchange email account be forwarded to the supervisor's Exchange email account. For this situation, supervisors need only send a request to firstname.lastname@example.org with the former employees email address and their current email address requesting the forward. In response, IT will create the forward with an automatic reply to send all future email to the supervisor's Exchange email account. After thirty (30) days, the former employees's Exchange email account will be terminated and all email sent to that email address after thirty (30) days will bounce back to the original sender.
For the four (4) scenarios numbered above supervisors should follow the procedures below.
For the first three scenarios above, request for access to a Classified, University, Professional, or Profession Faculty position must be reviewed and approved by the Associate Vice President for Human Resources (or his/her designee) before the access will be granted. For Adjunct, Part-Time, and Full Time Instructional Faculty requests must be reviewed and approved by the College Provost (or his/her designee). Once approved, the request will be forwarded to the College’s Chief Information Officer (or his/her designee) for fulfillment. For the fourth scenario, a copy of the court order or subpoena must be sent to the College’s Chief Information Officer (or his/her designee) as evidence of the need to grant access to the requesting authority. Once reviewed and verified the request for access will be granted.
Access to an employee’s electronic records will be provisioned in the following manner:
- For access to files on a local hard drive of a computer owned or leased by the College, the IT department will create an account on the computer with administrator privileges and provision the account to the supervisor or requesting authority. This allows the supervisor or requesting authority access to all local files on the computer.
- For access to files on an individual’s home folder on the College’s network (H: drive), IT will copy the contents of the drive to another location and provision access to the files to the supervisor or requesting authority.
- For access to an individual’s Microsoft Exchange account, the IT department will create an account with access to the Microsoft Exchange account and provision the account to the supervisor or requesting authority.
- For access to all three file sources (local hardrive, H: drive on the College network, and Microsoft Exchange account) the IT department will provision access using the three methods described previously to the supervisor or requesting authority.
- For access to voice mail or call record details, the IT department will provide a secure, removeable drive or CD with the requested data in a .wav format (for voice mail) and a .txt format for call record details.
Access to any and all of these electronic records will be granted for as long is necessary to conduct the College’s business or to satisfy the needs of the requesting authority. Once access is no longer needed the supervisor or requesting authority must notify the College’s Chief Information Officer so that the provisioned accounts can be terminated.
In the event of an emergency, where access to electronic records administered by the College’s Information Technology department is required immediately, the College of William and Mary Police bears the authority to bypass the approval process described here and make direct requests for the information to any IT director or system administrator capable of fulfilling the request. Any request of his nature must be recorded and reported to the Vice President of Administration.
This policy was approved by the Information Security Steering Committee on Friday November 15, 2013.