Reviewed and approved by the Information Governance Committee, June 2014
IT staff may not access individual accounts or information stored by an individual in a technology service without permission. This standard includes University-owned computer systems, IT services hosted on campus, and University cloud-based services (e.g. Google Workspace, Box). The following provisions apply to this standard.
Access with Explicit Permission
In cases where IT staff are assisting an individual with the use of a service, they may incidentally access information stored in that service only after receiving explicit written or verbal permission from the individual.
Permission should involve a clear statement of what the IT staff member is planning to do and what access they will have. For example, “Is it OK if I open this file to help you with the formatting?”
Permission granted in this manner should be considered one-time permission granted for the purpose of resolving a single incident. Future access should take place only after obtaining permission from the user again.
The IT staff member should record the circumstances under which they accessed the account and the method by which the user granted permission, e.g. in a support ticket. If the IT staff member is helping the user in person under the user’s supervision, it is not necessary to create a support case.
Departmental Accounts (Shared)
These procedures do not apply to individual data that users store in an account assigned to a department or unit. Access to information contained within departmental accounts should be granted by the department account owner/s. If the departmental account owner is no longer at the University, the OIT’s Departmental Account Change Process should be followed, and the new account owner may grant permission to access the account data.
These procedures do not apply to information that users store in University or departmental administrative systems (e.g. Endeavor, Banner, OnBase). Access to information in those systems follows the standard processes and controls in place for those systems.
Logs and Troubleshooting Information
These procedures do not apply to logs used by IT staff for maintenance and troubleshooting purposes. This information may include incidental access to metadata, such as file names, but should not include access to the contents of messages or files.
These procedures do apply to logs used for any other purpose, including investigations of any kind.
Requests for information from law enforcement officials or University administrators conducting an investigation, including Notre Dame Security Police, require the written approval of the Vice President for Information Technologies and General Counsel. For University investigations, the Vice President, Dean, or Senior Director of the department conducting the investigation should initiate the request.
The Director of Information Security will coordinate the approval process and maintain records of all investigation requests and approvals in electronic form. These records will be retained for at least one year from the date the request is completed. Due to the sensitivity of some of these requests, access to the request and approval records will be limited to only those involved in the investigation.
Investigations should be conducted in as narrow a manner as possible. The number of staff involved in the access should be limited as much as possible, and information produced for the investigation must be protected and secured.
Shared Data of Individuals Leaving the University
In cases where an individual leaves the University and has shared information with other individuals as collaborators (e.g. shared a document in Google Drive), IT staff may take measures to continue that access upon request of one of the collaborators. This provision does not apply to information that the owner deleted from an account or did not grant permission to access prior to leaving the University.
In these cases, the IT staff member granting the access will record the request and circumstances in a support case.
In all other cases, IT staff must obtain permission prior to accessing information in an individual’s account or system. The individual requesting access should send a formal request including justification to his or her Vice President, Dean, or Senior Director. If the user’s Vice President, Dean, or Senior Director endorses the request, they should forward the request to both the Vice President for Information Technologies and General Counsel.
The Director of Information Security will coordinate the approval process and maintain records of all requests and approvals in electronic form. These records will be retained for at least one year from the date the request is completed. Due to the sensitivity of some of these requests, access to the request and approval records will be limited to only those involved in the access request.
In cases where the account owner should no longer have access to the account, the requester must also file an Immediate Account Suspension request through the Help Desk. If this is not done, the account owner will retain permissions to add, modify and/or remove information.