Granting Access to Electronic Records

I. Scope

This policy sets out guidelines and processes for university access to user electronic information stored in or transmitted through any university system. This policy applies to all records at all schools and units at William & Mary (“the university”). 

II. Purpose

This policy outlines situations in which the university may authorize access to electronic records stored on university systems and the authorization process necessary to fulfill the access. 

Members of the university community rely on technology in multiple aspects of their work, teaching, research, study, and other activities. In doing so, they use electronic systems, networks, and devices that the university owns, provides, or administers the university makes these systems available for the purpose of carrying out the university’s mission. To promote trust within the community, the university seeks to be transparent about its policy regarding the circumstances in which it may access user electronic information stored in or transmitted through these systems. This policy sets out guidelines and processes that apply when the university accesses such electronic information.  

The policy is grounded in six important principles:  

1. The university does not routinely inspect electronic records except for legitimate business reasons. 
2. Faculty and staff should have no expectation of privacy regarding electronic records created and stored on university systems; students, however, do have a limited right to privacy regarding electronic records they create as a matriculated student at the university and store on university systems. 
3. Access should occur only for a legitimate and important university purpose.  
4. Access should be authorized by an appropriate and accountable person(s).  
5. Access should be limited to the user electronic information needed to accomplish the purpose.  
6. Sufficient records should be kept enabling appropriate review of compliance with this policy.  

III. Policy

Circumstances for Access  

• System Protection, Maintenance, and Management : University systems require ongoing maintenance and inspection to ensure that they are operating properly; to protect against threats such as attacks, malware, and viruses; and to protect the integrity and security of information. University systems also require regular management, for example, to implement new software or other facilities. To do this work, the university may scan or otherwise access user electronic information.  

• Business Continuity: User electronic information may be accessed for the purpose of ensuring continuity in business operations. This need can arise, for example, if an employee who typically has access to the files in question is unavailable due to extended absence, or end of employment. 

• Safety Matters: The university may access user electronic information to deal with exigent situations presenting threats to the safety of the campus or to the life, health, or safety of any person.  

• Legal Process, Litigation, or Code of Virginia Regulations: The university may access user electronic information in connection with threatened or pending litigation, and to respond to lawful demands for information in law enforcement investigations, other government investigations, and legal processes. The university may also access public records in the custody of a public body or its officers and employees in compliance with Virginia Freedom of Information Act.  

• Internal Investigations of Misconduct: The university may access user electronic information in connection with investigations of misconduct by members of the university community. 

• Academic or Research Interests: The university may grant access to certain categories of data such as network flow data, IP addresses and other infrastructure related data for the purposes of conducting legitimate academic or research activities.  

IV. Procedure

The university’s Statement of Rights and Responsibilities states that access to employee records "shall be restricted to authorized personnel for authorized reasons, as determined by the President or his/her delegated representative, and such others as are agreed to in writing by the individual concerned."  

A. Authorization  

1. Requests for access to faculty, staff, or affiliate electronic records belonging to the university must be routed through University Human Resources (“UHR”) and Information Technology (“IT”).  Approval is based on a demonstrated legitimate interest and one or more of the listed circumstances under Section IV of this policy and shall be approved by the Chief Human Resources Officer (or her equivalent designee).  
2. Requests for access to a student's electronic records must be routed through Student Affairs and IT.  Approval is based on a demonstrated legitimate interest and one or more of the listed circumstances under Section IV of this policy and shall be and approved by the Vice President for Student Affairs (or his/her equivalent designee). 
3. Requests for access to employee/affiliate or student electronic records issued via a court order, subpoena, or requests for information under the Freedom of Information Act must be routed through and approved by the Office of University Counsel. Upon review and approval of the court order or subpoena, the University Counsel, or their designee, should forward the request to the Chief Information Security Officer (or his/her equivalent designee) for fulfillment. 

B. Provision of Records  

1. For access to files on a local hard drive of a laptop/PC owned or leased by W&M, the IT department creates an account on the computer with administrator privileges and provision the account to the supervisor or requesting authority. This allows the supervisor or requesting authority access to all local files on the computer. 
2. For access to an individual’s Microsoft Exchange account, the IT department exports the current mailbox and delivers it to the supervisor/requesting authority OR, if deemed necessary, provides full access to the account from the supervisor/requesting authority existing mailbox (this will create a new set of mail folders for the supervisor/requesting authority which will contain the employees existing and/or new incoming mail) 
   For access to voice mail or call record details, the IT department provides a file or media with the requested data in a .wav format (for voice mail) and a .txt format for call record details. 
3. For access to files on the university's Secure File Sharing system, Box, the requestor will be granted access to the specific folders as a Co-Owner of the folder(s,) including read, edit, and download rights. 
   For access to network logs, voice mail, call detail, or Internet flow records, IT provides the files via a shared, secured folder on Box. 

C. Duration and Conclusion 

Access to any or all these electronic records will be granted for as long is necessary to conduct the university's business or to satisfy the needs of the requesting authority.  
For access to a hard drive, Microsoft Exchange account or co-ownership of a Box file, once access is no longer needed, the supervisor or requesting authority must notify the university's Chief Information Security Officer so that the provisioned accounts can be terminated. 

V. Non-Compliance

An employee’s or affiliate’s failure to comply with any of the above policy statements or procedures may result in discipline, in accordance with general university employment policies and procedures that apply to the respective category of employee. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition. 

A student’s failure to comply with any of the above policy statements may result in disciplinary actions in accordance with the Student Handbook. Depending on the nature and severity of the violation, the university may take one or more of the disciplinary actions listed under Administration of Student Code of Conduct, Section VII. The university may also temporarily deny access to university information systems and may refer the case to the appropriate local, state, or federal authority for further disposition. 

Related Policies and Procedures

• System and Data Classification and Protection Policy
• Electronic Communication and Internet Use Policy