Electronically Stored Information Release Standard
Date of Current Revision or Creation: September 2024
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
Establish guidelines for accessing and releasing electronically stored information (ESI) within the University. Ensuring that access to ESI, beyond regular business operations, is conducted with proper approvals and adherence to confidentiality requirements. The standard is designed to protect the privacy of individuals' electronic communications and files, while providing a clear framework for managing requests related to business continuity, investigations, or other organizational needs.
Definitions
Electronically Stored Information (ESI) - Data or information that is created, stored, and managed in digital or electronic form within ODU's electronic systems.
Non-Content Information - Information that does not include the actual content of communications, such as authentication logs or user account settings.
Standards Statement
In certain circumstances, such as investigations or business continuity needs, access to electronic communications and files stored on University systems may be required. This access extends beyond routine University business activities or publicly available information and is only permitted with proper authorization. Such access to electronically stored information (ESI) must be approved by designated ODU officials and comply with all relevant University policies and standards.
Requests to monitor or review electronic communications or files will only be approved when supported by valid justification, which must be based on specific business needs, legal obligations, or credible evidence of policy or legal violations involving the individual whose ESI will be reviewed or monitored. Typically, these authorization requests are initiated by supervisors, HR staff, legal counsel, or the registrar, and may also come from investigative bodies within the University, such as the audit department, Police Department, or Office of Institutional Equity and Diversity.
User ESI Authorization
Authorization to access a user’s ESI requires signed approval from the University President’s Office, the Office of University Counsel, and the Vice President of Digital Transformation and Technology. Direct supervisors cannot authorize or accept access to an employee’s account or credentials without the necessary approvals from these officials.
Non-Content Information Authorization
Before authorizing access to ESI or non-content information, the vice president, CISO, department head, or designee must carefully evaluate the justification to ensure there is a legitimate need for access. Confidentiality must be maintained, and consulting with legal counsel may be appropriate to determine whether to grant access and whether the affected individual or other parties should be informed.
Related Information
History
Date | Responsible Party | Action |
September 2024 | Technology Policy Office | Created |