Security, Policy, Access to employee's email/files/folders by someone other than employee
Explanation of policy and procedures to access another person's email/files/folders.
Summary:
Units may not have access to an employee's email, files, or folders without proper authorization. If the employee is able to give consent, this is the easiest method. The employee should send an email to the supervisor, or somehow put permission in writing.
In instances where an employee is unable to give consent, units must fill out the appropriate authorization forms, as indicated below.
Any questions not answered in this article should be directed to securitysupport@illinois.edu
Full Article:
When an employee is unavailable (out sick, no longer employed at the university, passed away, etc), there are unfortunately sometimes important business-related documents or other information in the employee's personal email, files, or folders. In that case, unit personnel will often request access to information that may be needed to continue the campus business that employee was working on.
It is important to know that for privacy reasons, campus policy requires approval process to be followed before any IT pro or other personnel with administrative access is permitted to provide such access to anyone other than the employee whose user account is named as the "owner" of those items.
This includes gaining access to email, files, databases, or folders, as well as setting an out-of-office message on that person's account.
Who owns an employee's files and email
By policy, beyond the copyright privileges granted to faculty and students, as employees of a state agency, the University owns an employee's files and email.
Except as otherwise specified in this article, or by the University in writing, intellectual property shall belong to the University if made:
- by a University employee as a result of the employee's duties, or
- through the use by any person, including a University employee, of University resources such as facilities, equipment, funds, or funds under the control of or administered by the University.
--University of Illinois Board of Trustees General Rules, Article 3
"Section 5 - Other Intellectual Property"
https://www.bot.uillinois.edu/governance/general_rules#sec35
However, while the university owns the data and the privacy of an employee's email and files is not a right nor guaranteed, campus policy also provides certain privacy protections for an employee's email, files, and folders.
Campus Policy
It is a violation of campus policy for unit personnel, including unit heads, to ask or instruct any individual to retrieve another person's data, or give any other person access to that data without the express consent of the authorized campus administrative officer.
Unless required by law or by authorized administrative approval to do otherwise, campus and unit-level administrators will not examine the contents of electronic messages or files, and will make every reasonable effort to protect them from unauthorized inspection.
-Campus Administrative Manual, fo-07 (APPROPRIATE USE OF COMPUTERS AND NETWORK SYSTEMS), Paragraph VI (B)
"Examination of Contents of Electronic Messages and Files"
https://cam.illinois.edu/policies/fo-07/
What is "unauthorized inspection"?
No individual may access another person's email, files, or folders without the express consent of the campus Chief Information Officer (CIO). The campus CIO, in turn, has designated the campus Chief Privacy and Security Officer as the individual responsible for approving access to another person's data.
It is understood that a system administrator may have incidental access to such data in the course of their daily duties, but the access may not be made for the purpose of discerning content or transferring access to content, or the content itself, to others without the express approval of the designated campus authority.
What is the process for receiving that approval?
Requests must be made in writing. A template indicating the format required for such a request is located at:
RequestforAccessTemplate.doc
Out-of-office replies can be put on a mailbox if necessary. The process for requesting that is described here: https://answers.uillinois.edu/illinois/129917
The request must be in writing, and signed by:
-
The head of the requesting department, as well as
-
The unit's executive officer (Dean of College or equivalent)
Send the request to:
Mairead Martin
Kim Milford
Campus Privacy and Information Security
2222 Digital Computer Laboratory
MC-256
The request will be reviewed in consultation with University Counsel and other officials. If possible, the person who "owns" the files and folders in question will be notified in advance of the impending disclosure to others, unless:
- there is a subpoena or other legal action that prohibits such notification, or
- where life safety/public safety issues are involved, or
- where a university investigation is taking place pursuant to published university policies.
The request will be approved only if ALL the following conditions are met:
- The request was submitted in writing through university channels and signed by both a director or department head and their Dean-level executive of the relevant unit.
- The reason for disclosure serves a legitimate university purpose
- The disclosure is not invasive of the employee's privacy interests in light of alternative ways to achieve the same purpose
- The nature and scope of the disclosure is submitted in writing and approved by the campus CIO (or his/her designee)
- The affected individuals whose data is being accessed are notified in advance of any access or disclosure, consistent with the exceptions previously noted.
What if I am concerned the files will be altered or deleted while the request is under review?
IT pros may take steps to preserve the data in question, such as by creating a backup of the material, but the privacy of the data must be maintained until the request is approved. Inspecting or allowing inspection of the data prior to formal approval being received is prohibited.
See Campus Administrative Manual, Section VIII-1.1, Paragraph VI (C)
http://cam.illinois.edu/viii/VIII-1.1.htm
What happens after I receive my approval?
The approval to access the needed data pertains only to the data which the requester specified was needed--it is not a blanket approval to inspect a person's email, files, and folders.
A disinterested third party (often an IT pro who is not an acquaintance of the employee who "owns" the material) is appointed to go through the material to determine which content meets the scope of the request, and may be disclosed to the requester.
Related Questions
If an employee's material is urgently needed for business reasons, and they are sick, on vacation, or otherwise unavailable, is it acceptable for the employee's supervisor to get access to the material without going through the approval process outlined above?
No. The approval process remains the same.
If the employee is able to log in--remotely or otherwise--and change the permissions on the material to give access to others, that is acceptable. The employee who "owns" the material may also give permission for a system administrator to give access to others. This should be in writing such as an email, in case there is a question later as to whether policy was followed.
What about former employees--do we still need to maintain privacy for a person who no longer works at the university?
Yes. This applies whether the employee leaves the university or just transfers to a different department. The process is exactly the same; unless you can get the person's permission for others to access their data, you must go through the approval process.
What can we do to help avoid having to go through the approval process?
- Because of the business process disruptions that can occur when the person who "owns" a document is not available, we urge units not to allow employees to keep work documents in personal folders on their work stations, but rather on a file share or other storage that others have access to, to minimize the disruption of business functions when an employee departs or is temporarily unavailable.
- We also discourage units from directing a unit email intake address (e.g. "department@illinois.edu") to a single person's email. Rather, direct the email to a distribution group so that more than one person receives the unit's inbound email.
- Modify your exit procedures so that when a person leaves the unit (whether leaving the department or the university), they acknowledge that they were given opportunity to remove personal information from their email, files, and folders, and give written permission for responsible parties to access their personal folders on their unit workstation to retrieve materials. Arrange to receive from the departing employee copies of emails and files pertinent to the unit's operations.
What happens to the data of deceased individuals?
Please see the process detailed here: https://answers.uillinois.edu/illinois/internal/75376.
How is intellectual property handled?
There are sometimes patent and/or copyright questions regarding materials left behind by faculty and other researchers. There are often collaborators who request access to materials when a faculty member dies or is otherwise incapacitated. In many case it is not clear who owns the materials--the faculty member's family, or the collaborator(s), or the university. When a request of this type is presented, the university Office of Technology Management (OTM) is brought in to review the non-personal business-related materials, and detangle the copyright and related intellectual property issues.
Forms:
Request for Out of Office Message (TDX Form)
For additional help, please email securitysupport@illinois.edu