Granting Third Party Access to Individual Electronic Records on College Owned or Leased Computers
The document applies to all electronic records stored on or transmitted by College of William and Mary owned or leased computers including local computer files, network files, email, voicemail, and calendar files.
This document establishes the rules and procedures for granting access to an employee’s electronic records and/or files including network files, local computer files, email, call records, voicemail, and calendar. It applies to all types of employees, including faculty. It applies to the College of William & Mary, including the Virginia Institute of Marine Science (the university). It does not apply to requests for records from external parties or entities, which are handled under William & Mary’s Freedom of Information Act Policy or, for legal or law enforcement requests, by the Office of University Counsel.
This procedure complies with applicable state and university policy. State Department of Human Resources Management Policy 1.75, which applies to all university employees, including faculty, provides that the university has the authority to monitor and access any employee’s files or other data when either a university computer (or other equipment) or network was used.
William & Mary’s Statement of Rights and Responsibilities states that access to employee records “shall be restricted to authorized personnel for authorized reasons, as determined by the President or his/her delegated representative, and such others as are agreed to in writing by the individual concerned.” This procedure describes the reasons for which access will be granted and the procedure for obtaining authorization.
Generally, there are six (6) situations where a third party requires access to an individual’s electronic records on College owned or leased computers:
1. A supervisor needs access to an individual’s electronic records because the individual has left W&M’s employ or is out on extended leave, such as disability leave, and the electronic records are needed to conduct university business.
2. The Office of Compliance & Policy is conducting an internal investigation and the records may include relevant information.
3. A supervisor needs access to an employee’s electronic records because the employee is under disciplinary review and the electronic records are needed to conduct the review.
4. The Office of University Counsel requires access to satisfy a court order or subpoena.
5. Internal Audit requires access to conduct an audit or investigation.
6. The Office of Compliance & Policy, VP for Research or University Counsel is collecting records to respond to a governmental audit, investigation, inquiry, or information request.
In addition, there are situations where an employee vacates his/her position and a supervisor requests that all new email sent to the former employee's Exchange email account be forwarded to the supervisor's Exchange email account. For this situation, supervisors need only send a request to email@example.com with the former employees email address and their current email address requesting the forward. In response, IT will create the forward with an automatic reply to send all future email to the supervisor's Exchange email account. After thirty (30) days, the former employees's Exchange email account will be terminated and all email sent to that email address after thirty (30) days will bounce back to the original sender.
For the six (6) scenarios numbered above supervisors should follow the procedures below.
For the first three scenarios above, request for access to a Classified, University, Professional, or Profession Faculty position must be reviewed and approved by the Associate Vice President for Human Resources (or his/her designee) before the access will be granted. For Adjunct, Part-Time, and Full Time Instructional Faculty requests must be reviewed and approved by the College Provost (or his/her designee). Once approved, the request will be forwarded to the College’s Chief Information Officer (or his/her designee) for fulfillment. For the remaining three scenarios, requests should be sent to the College’s Chief Information Officer (or his/her designee) via University Counsel.
Access to an employee’s electronic records will be provisioned in the following manner:
- For access to files on a local hard drive of a computer owned or leased by the College, the IT department will create an account on the computer with administrator privileges and provision the account to the supervisor or requesting authority. This allows the supervisor or requesting authority access to all local files on the computer.
- For access to files on an individual’s home folder on the College’s network (H: drive), IT will copy the contents of the drive to another location and provision access to the files to the supervisor or requesting authority.
- For access to an individual’s Microsoft Exchange account, the IT department will create an account with access to the Microsoft Exchange account and provision the account to the supervisor or requesting authority.
- For access to all three file sources (local hardrive, H: drive on the College network, and Microsoft Exchange account) the IT department will provision access using the three methods described previously to the supervisor or requesting authority.
- For access to voice mail or call record details, the IT department will provide a secure, removeable drive or CD with the requested data in a .wav format (for voice mail) and a .txt format for call record details.
Access to any and all of these electronic records will be granted for as long is necessary to conduct the College’s business or to satisfy the needs of the requesting authority. Once access is no longer needed the supervisor or requesting authority must notify the College’s Chief Information Officer so that the provisioned accounts can be terminated.
In the event of an emergency, where access to electronic records administered by the College’s Information Technology department is required immediately, the College of William and Mary Police bears the authority to bypass the approval process described here and make direct requests for the information to any IT director or system administrator capable of fulfilling the request. Any request of his nature must be recorded and reported to the Vice President of Administration.
This policy was approved by the Information Security Steering Committee on Friday November 15, 2013.
 “No user shall have any expectation of privacy in any message, file, image or data created, sent, retrieved, received, or posted in the use of the Commonwealth’s equipment and/or access. Agencies have a right to monitor any and all aspects of electronic communications and social media usage. Such monitoring may occur at any time, without notice, and without the user’s permission.”