Information Technology Standard 02.12.0

Privacy and Confidentiality of University Information Standard


Date of Current Revision or Creation: September 2024


The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations.  Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to establish guidelines for the monitoring, access, and privacy of electronically stored information (ESI) under the control of University employees. It outlines the circumstances under which the University may access or monitor records and communications, ensuring compliance with legal obligations and University policies. This standard seeks to balance the University's commitment to protecting individual privacy with its responsibilities as a steward of public resources and electronic information. It applies to all users of the University's information technology systems, regardless of their location or affiliation.

Definitions

Authorizing Official - An individual designated with the authority to approve requests for access to electronically stored information (ESI) or other sensitive data within an organization.

Electronically Stored Information (ESI) - Data or information that is created, stored, and managed in digital or electronic form within ODU's electronic systems.

Monitoring – The process of reviewing, observing, or tracing activities on University IT systems

Non-Content Information - Information that does not include the actual content of communications, such as authentication logs or user account settings.

System(s) - refers to a collection of components (hardware, software, personnel, data, and/or configuration) that provides a service or fulfills a business use case, regardless of where it is hosted or who administers it.

Standards Statement

The University may access records or monitor record systems or communications under the control of its employees. As the steward of public resources and electronic information, the University is committed to handling requests for electronically stored information (ESI) in a manner that is both orderly and compliant with state and federal laws. This standard applies to all users of the University’s information technology systems, regardless of their location or affiliation. While the University is dedicated to protecting individual privacy and safeguarding personal information, this commitment is subject to limitations imposed by applicable local, state, and federal laws, as well as the provisions outlined in this standard.

Each user should be aware that there is no expectation of privacy for any message, file, image, or data created, sent, retrieved, or received using the University’s equipment, network, or purchased software. The University retains the right to monitor any aspect of its IT systems at any time, without notice or the user’s consent. However, except in specific circumstances, University employees are not permitted to monitor or review the content of users’ electronic communications, including personal and University-related records, files, and data. Examination of a user’s electronic communications or other electronic files stored on University systems will only occur under approved and documented conditions.

Release of Information: The University will not disclose protected information related to an individual’s association with the institution without obtaining prior written consent from the individual, unless required by law (e.g., Freedom of Information Act (FOIA) or legal request). Access to such records within the University is strictly limited to authorized personnel, who may only access this information for approved purposes as determined by the President or their designated representatives, such as Vice Presidents or Deans.

Old Dominion University values academic freedom and free expression as core principles, and this policy has been designed with those principles in mind.

Additionally, as the steward of public resources and electronic information, the University is committed to handling requests for electronic information in a manner that is both orderly and compliant with state and federal laws. This standard applies to all users of the University’s information technology systems, regardless of their location of affiliation.    

Except in specific circumstances outlined below, University employees are not permitted to monitor or review the content of users’ electronic communications, including personal and University-related records, files, and data. Examination of a user’s electronic communications or other electronic files stored on University systems will only occur under approved and documented conditions.

  1. Monitoring and Access

    1. Monitoring and/or Access without further Authorization or Notification:
      Monitoring and/or Access may occur without further authorization or notification under the following legal or administrative circumstances:

      • Compliance with Legal Orders: Monitoring or access may be required by legal orders or demands, such as subpoenas, warrants, national security letters, or requests made in accordance with the Freedom of Information Act (FOIA)
      • Technical Issue Resolution: If technical staff inadvertently encounter electronic communications or files while resolving technical issues, they are obligated to report any potentially illegal content. Otherwise, the University expects technical staff to maintain the privacy of user communications and files.
      • Routine Administrative Functions: Regular administrative activities, such as security tests to ensure the security, integrity, and availability of the University’s IT resources, may involve monitoring. This includes tasks like password testing to identify weak passwords, investigating unauthorized access attempts, or scanning emails for malware.
      • Sanctioned Research Projects: Officially sanctioned research projects or those authorized by the University, conducted under a data use agreement, may involve monitoring to ensure compliance with restrictions on protected information disclosure.
    2. Monitoring and/or Access Requiring Official University Review and Approval:
      Monitoring or accessing electronically stored information (ESI) and Non-content information requires formal review and signed approval by several authorized University officials, such as the President’s office, relevant vice presidents or department heads, under the following circumstances:

      • Business Continuity:  To ensure the uninterrupted operations of the University access may be granted to the data of an employee who has been terminated, separated, is pending termination or separation, is deceased, on extended sick leave, or is otherwise unavailable.
      • Investigations and Legal Matters:  Access may be authorized as a part of an inquiry, assessment, or investigation into potential violations of law or policy, or in response to actual or anticipated litigation.
      • Academic and Disciplinary Investigations: Requests for ESI may be granted to members of the University’s Honor Council, the Title IX Coordinator, and/or designee acting under the University Policy 1005 Discrimination Policy, or faculty conducting investigations related to student academic issues.  
      • Emergency Situations: In cases involving an imminent threat to persons or property, access may be approved by an authorizing official, in consultation with University Counsel.
      • Routine Monitoring: University units that routinely monitor or examine employee electronic communications or files as part of their work environments must inform affected employees in advance through written communications, such as a standard statement, that such monitoring or examination will occur.
    3. Accessing Electronically Stored Information (ESI) of a Deceased Person:
      The University will not permit access to the personal data of a deceased user stored in its systems without prior written consent from the deceased individual or unless required by law or legal mandate. However, University Records contained within that electronically stored information may be accessed following the Electronically Stored Information Release Procedures.
  2. Compliance with Standard:
    Misuse of data or IT resources may lead to restricted or revoked access to University IT resources. Additionally, non-compliance with this standard and its associated standards and procedures may result in disciplinary actions, up to and including termination or expulsion in accordance with relevant University policies. Such violations may also breach federal, state, and local laws.

Related Information

History

Date Responsible Party Action
September 2024 Technology Policy Office Created