Access to Digital Content
Introduction
The objective of Brandeis University in the development and implementation of this comprehensive policy is to create effective administrative safeguards for the protection of digital content.
This policy sets forth the circumstances and process by which the university may access the content of electronic communications and files on university computer systems. It further defines boundaries for such access and establishes an organizational posture ensuring continuing respect for the privacy of the university community.
Applicability
This policy applies to all Brandeis University faculty, staff, hired consultants, interns and student employees, and all digital or electronic resources maintained by the university.
Definitions
- Electronic Content: Any digital file or communication, including but not limited to email, voicemail, log file, authentication or authorization record, or document and associated metadata.
- Systems: All services, computers, networks and devices owned, provided or administered by any unit of the university. This includes but is not limited to email services, file services, voice message services, digital storage devices and services, desktop computers, laptop computers and other mobile devices, and usage and access logs.
Policy Statement
The university's Chief Information Security Officer is responsible for the data access process and is obligated to oversee and document its application.- 1.0 — All requests for data access must be directed to the Chief Information Security Officer. Requests must come from the organizational head of a unit and that individual's immediate supervisor. For faculty this will typically be a department/program Chair and Dean or Dean and Provost. Requests may also be made by the General Counsel in situations where the university is required to comply with a subpoena, search warrant, litigation discovery request, or other legal instrument.
- 2.0 — At the direction of the Chief Information Security Officer, it is appropriate for digital content to be preserved by the Information Security Office while a data access request is pending, including before notification to the affected individual is made.
- 2.1 — The individual whose university computer data or email account is being accessed will be notified, except that notification may be made post access or entirely suppressed if necessary to comply with a legal instrument, or other investigative constraint.
- 3.0 — Conditions for Disclosure
- Note: With the exception of Section 4.0 below, non-legally compelled access will only be provided when authorized by any two of the following: the Provost, the Executive Vice President for Finance and Administration, the General Counsel and the President. Evidence will only be provided to the appropriate investigative body within the university (e.g., HR for personnel matters). In general, access may be approved for:
- 3.1 Internal Investigations of Misconduct or Audit: Internal investigations under the auspices of an investigative unit of the university or as part of a legal or financial audit.
- 3.2 Life Safety: Emergencies where access to content may help prevent bodily harm to a member or members of the university community. These will be initiated in consultation with the Brandeis Chief of Police.
- 3.3 Business Continuity: Absences impacting business continuity may result in a unit being given access to email or digital files. In these circumstances, care must be given to protect the privacy of the individuals affected and the confidentiality of the accessed materials. The university's Chief Information Security Officer will establish a process to ensure these protections.
- 3.4 Business Continuity and ex-employees: Work-related digital content of faculty and staff accounts may be provided to the supervising unit after the termination of employment.
- 4.0 — Other Permissible Access
- 4.1 System Maintenance and Security: staff supporting the University's technology infrastructure and its security may, in the performance of their jobs, access or review data as required.
- 4.2 Exigent Circumstances: Access may be granted on the authority of the President, the Provost or the Executive Vice President for Finance and Administration alone in order to address exigent circumstances. The university official granting access shall notify the General Counsel as soon as practicable thereafter.
- 4.3 Consent of the User: Authorization for access to digital content may be provided by the consent of the user of the account accessed
Records Management
The Chief Information Security Officer will maintain records of all requests, whether approved or denied, for a period of three years. An aggregate summary report, absent any personally identifying information, may be provided for purposes of internal audit upon request.
This policy does not create an employment contract or any right to continued employment at Brandeis University. Brandeis University reserves the right to modify, revoke, suspend, terminate and/or change any and all policies and procedures at any time, with or without notice.
Policy Owner
Information Technology Services
Revised and Approved: Feb. 3, 2020