Access to Digital Content
This policy sets forth the circumstances and process by which the University may access the content of electronic communications and files on University computer systems, as defined below. It further defines boundaries for such access and in general establishes an organizational posture ensuring continuing respect for the privacy of the University community.
The content of email and files stored on a University computer or in an authorized user's email or network account may be viewed only by the authorized user, unless otherwise so designated by the authorized user. Access to digital content by others is prohibited unless the protocols described in section 1.4 below are followed.
This policy applies to all Brandeis faculty and staff and all digital or electronic resources maintained by the University.
- The University's Chief Information Security Officer is the steward for the data access process and is obligated to oversee and document its application.
1.1. All requests for data access must be directed to the Chief Information Security Officer. Requests must come from the organizational head of a unit and that individual's immediate supervisor. For faculty this will typically be a department/program Chair and Dean or Dean and Provost. Requests may also be made by the General Counsel in situations where the University is required to comply with a subpoena or assist state or federal authorities in an investigation.
1.2. It is appropriate at the direction of the Security Officer for digital content to be preserved by the Security Office while a data access request is pending including before notification to the affected individual is made.
1.3. The individual whose University computer data or email account is being accessed will be notified. Notification may be made post access or entirely suppressed if necessary to comply with a legal instrument or other investigative constraint.
1.4. Conditions for disclosure
Note: Non-legally compelled access will only be provided as part of a University investigation authorized by the Provost, a senior manager reporting directly to the President, or the President, and evidence will only be provided to the appropriate investigative body within the University (e.g., HR for personnel matters), with the exception of item 2 below.
In general, access may be approved for:
1.4.1. Litigation and Legal Processes: legal Instruments such as search warrants, discovery requests, or subpoenas that have been reviewed by the General Counsel.
1.4.2. Internal Investigations of Misconduct or Audit: internal investigations under the auspices of an investigative unit of the University or as part of a legal or financial audit.
1.4.3. Life Safety: emergencies where access to content may help prevent bodily harm to a member or members of the University community. These will be initiated in consultation with the Brandeis Chief of Police.
1.4.4. Business Continuity: absences impacting business continuity may result in a unit being given access to email or digital files. In these circumstances, care must be given to protect the privacy of the individuals affected and the confidentiality of the accessed materials. The University's Chief Information Security Officer will establish a process to ensure these protections.
1.4.5. Business Continuity and ex-employees: Work-related digital content of faculty and staff accounts may be provided, upon request and approval by a dean, a senior manager reporting directly to the President, or the President, to the supervising unit after the termination of employment.
1.4.6. System Maintenance and Security: staff supporting the University's technology infrastructure and its security may, in the performance of their jobs, access or witness otherwise confidential data as required.
- At the discretion of the President or Provost, in consultation with the General Counsel, access may be granted on the authority of the President or Provost in order to address exigent or unforeseen circumstances.
- Authorization for access to digital content may be provided by the consent of the user of the account accessed. When access is approved by the user no notification or additional documentation is required.
The Chief Information Security Officer will maintain records of all requests, whether approved or denied, for a period of three years. An aggregate summary report, absent any personally identifying information, may be provided for purposes of internal audit upon request.
- Electronic Content
Any digital file or communication, including but not limited to email, voicemail, log file, authentication or authorization record, or document and associated metadata.
- Users, Users' accounts
Faculty and staff of Brandeis University, including individuals in sponsored or visitor roles and any University provided accounts they may be granted as part of their affiliation with the University.
All services, computers, networks and devices owned, provided or administered by any unit of the University. This includes but is not limited to email services, file services, voice message services, digital storage devices and services, desktop computers, laptop computers and other mobile devices, and usage and access logs.