Policy on Access to Electronic Records
This policy establishes the rules and procedures for providing access to electronic records owned by the William & Mary administered by the Information Technology department, and stored on or transmitted by William & Mary owned or leased computers and/or networks.
This policy applies to all faculty, staff, and students at W&M, including the Virginia Institute of Marine Science (the university).
Electronic records include, but are not necessarily limited to, files stored locally on laptops/PCs/smart devices, files stored on shared network drives, email, voicemail, calendar files, wired and wireless network logs, authentication logs, and/or Internet flow records.
This policy complies with applicable state and university policy. State Department of Human Resources Management Policy 1.75, which applies to all university employees, including faculty, provides that the university has the authority to monitor and access any employee’s files or other data when either a university computer (or other equipment) or network was used.
William & Mary’s Statement of Rights and Responsibilities states that access to employee records “shall be restricted to authorized personnel for authorized reasons, as determined by the President or his/her delegated representative, and such others as are agreed to in writing by the individual concerned.”
- Requests for access to faculty, staff, or affiliate electronic records belonging to the university must be routed through and approved by the Office of the Vice President for Human Resources. Upon review and approval, the Vice President for Human Resources, or his/her designee, should forward the request to the Chief Information Officer, Deputy Chief Information Officer and/or the Chief Information Security Officer for fulfillment.
- Requests for access to a student’s electronic records must be routed through and approved by the Office of the Vice President for Student Affairs. Upon review and approval, the Vice President for Student Affairs, or his/her designee, should forward the request to the Chief Information Officer, Deputy Chief Information Officer and /or Chief Information Security Officer for fulfillment.
- Requests for access to employee or student electronic records issued via a court order, subpoena, or requests for information under the Freedom of Information Act must be routed through and approved by the Office of University Counsel. Upon review and approval of the court order or subpoena, University Counsel, or his/her designee, should forward the request to the Chief Information Security Officer or his/her designee for fulfillment.
Access to electronic records will be provisioned in the following manner:
- For access to files on a local hard drive of a laptop/pc owned or leased by W&M, the IT department will create an account on the computer with administrator privileges and provision the account to the supervisor or requesting authority. This allows the supervisor or requesting authority access to all local files on the computer.
- For access to an individual’s files on a shared network drive (H: drive), IT will copy the contents of the drive to another location and provision access to the files to the supervisor or requesting authority.
- For access to a staff member’s Microsoft Exchange account, the IT department will export the current mailbox and deliver it to the supervisor/requesting authority OR, if deemed necessary, provide full access to the account from the supervisor/requesting authorities existing mailbox (this will create a new set of mail folders for the supervisor/requesting authority which will contain the employees existing and new incoming mail)
- For access to voice mail or call record details, the IT department will provide a file or media with the requested data in a .wav format (for voice mail) and a .txt format for call record details.
- For access to files on the university’s Secure File Sharing system, Box, the requestor will be granted access to the specific folders as a Co-Owner of the folder(s) including read, edit, and download rights.
- For access to network logs, voice mail, call detail, or Internet flow records IT will make the files available via a shared, secured folder on Box.
Access to any and all of these electronic records will be granted for as long is necessary to conduct the university’s business or to satisfy the needs of the requesting authority. Once access is no longer needed the supervisor or requesting authority must notify the university’s Chief Information Security Officer so that the provisioned accounts can be terminated.
In the event of an emergency, where access to electronic records administered by William & Mary's Information Technology department is required immediately and/or approvers are not responding, the W&M Police bears the authority to bypass the approval process described here and make direct requests for the information to any IT director or system administrator capable of fulfilling the request. Any request of his nature must be recorded and reported to the Senior Vice President of Finance and Administration and the Chief Information Officer.
 “No user shall have any expectation of privacy in any message, file, image or data created, sent, retrieved, received, or posted in the use of the Commonwealth’s equipment and/or access. Agencies have a right to monitor any and all aspects of electronic communications and social media usage. Such monitoring may occur at any time, without notice, and without the user’s permission.”