The Office of Human Resources

Home / University Policies and Procedures / Accessing Digital Content Policy

Accessing Digital Content Policy

The content of email and files stored on a university computer or in an authorized user's email or network account may be viewed only by the authorized user, unless otherwise so designated by the authorized user. Access to digital content by others is prohibited unless the protocols described below are followed.

This policy sets forth the circumstances and process by which Brandeis University may access the content of electronic communications and files on university computer systems. It further defines boundaries for such access and in general establishes an organizational posture ensuring continuing respect for the privacy of the university community.

Applicability

This policy applies to all Brandeis faculty and staff and all digital or electronic resources maintained by the university.

Guidelines

The university's chief information security officer or chief information officer is the steward for the data access process and is obligated to oversee and document its application.
All requests for data access must be directed to the chief information security officer or chief information officer.
Requests must come from the organizational head of a unit and that individual's immediate supervisor. For faculty, this will typically be a department/program chair and dean, or dean and provost. Requests may also be made by the general counsel in situations where the university is required to comply with a subpoena or assist state or federal authorities in an investigation.
It is appropriate at the direction of the security officer for digital content to be preserved by the security office while a data access request is pending including before notification to the affected individual.
An individual whose university computer data or email account is being accessed will be notified and, normally, notice will be given as soon as is practical. However, notification may be made post-access or entirely suppressed if necessary to comply with a legal instrument or other investigative constraint.

Conditions for Disclosure

Nonlegally compelled access will be provided only as part of a university investigation authorized by the provost, a senior manager reporting directly to the president or the president him/herself, and evidence will only be provided to the appropriate investigative body within the university (e.g., human resources, for personnel matters), with the exception noted below.

In general, access may be approved for:

Litigation and legal processes: Legal instruments such as search warrants, discovery requests or subpoenas that have been reviewed by the general counsel.
Internal investigations of misconduct or audit: Internal investigations under the auspices of an investigative unit of the university or as part of a legal or financial audit.
Life safety: Emergencies where access to content may help prevent bodily harm to a member or members of the university community. These will be initiated in consultation with the Brandeis director of public safety/campus police.
Business continuity: Absences impacting business continuity may result in a unit being given access to email or digital files. In these circumstances, care must be given to protect the privacy of the individuals affected and the confidentiality of the accessed materials. The university's chief information security officer will establish a process to ensure these protections.
Business continuity and former employees: Work-related digital content of faculty and staff accounts may be provided, upon request and approval by a dean, a senior manager reporting directly to the president or the president him/herself to the supervising unit after the termination of employment.
System maintenance and security: Staff supporting the university's technology infrastructure and its security may, in the performance of their jobs, access or witness otherwise confidential data as required.

At the discretion of the president, executive vice president or provost, in consultation with the general counsel, access may be granted on the authority of the president, executive vice president or provost in order to address exigent or unforeseen circumstances.

Authorization for access to digital content may be provided by the consent of the user of the account accessed. When access is approved by the user, no notification or additional documentation is required.

Records Management

The chief information security officer will maintain records of all requests, whether approved or denied, for a period of three years. An aggregate summary report, absent any personally identifying information, may be provided for purposes of internal audit upon request.

Definitions

Electronic content: Any digital file or communication, including but not limited to email; voicemail; log file; authentication or authorization record; or document and associated metadata.
Users, users' accounts: Faculty and staff of Brandeis University, including individuals in sponsored or visitor roles, and any university-provided accounts they may be granted as part of their affiliation with the university.
Systems: All services, computers, networks and devices owned, provided or administered by any unit of the university. This includes but is not limited to email services; file services; voice message services; digital storage devices and services; desktop computers, laptop computers and other mobile devices; and usage and access logs.