97 SPEC Kit 360: Learning Analytics UNIVERSITY OF VIRGINIA IRM-012: Privacy and Confidentiality of University Information http://uvapolicy.virginia.edu/policy/IRM-012 animal facility records human and animal subject protocols consent forms medical charts and patient research files. In addition, research records include any data, document, computer file, computer diskette, or any other written or non-written account or object that reasonably may be expected to provide evidence or information regarding the proposed, conducted, or reported research that constitutes the subject of an allegation of research misconduct. User: Everyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, faculty, staff, medical center employees, contractors, foundation employees, guests, and affiliates of any kind. Policy Statement: The University, as steward of public resources and electronic information, shall respond to requests for electronic information in an orderly manner consistent with state and federal law. This policy applies to all users of the University’s information technology resources, regardless of location or affiliation. Release of Information: Except as provided below, the University may not release protected information about any aspect of an individual's association with the University without the prior written consent of the individual concerned or unless legally required (e.g., Virginia Freedom of Information Act (FOIA) or legal request). Within the University, access to such records shall be restricted to authorized personnel for authorized reasons, as determined by the President or his/her delegated representative, such as the Vice-Presidents and Deans, and such others as are agreed to in writing by the individual concerned. Except as provided below, the employees of the University will not monitor the content of electronic communications of its users including personal and University records, files, and data, nor will it examine the content of a user’s electronic communications or other electronic files stored on its systems except under certain circumstances. Monitoring and Access: Monitoring and/or Access without further Authorization or Notification: Legal or administrative circumstances where monitoring and/or access may occur without further authorization or notification include: Communications or files subject to legal orders or demands (e.g., subpoena, warrants, and national security letter) or requested in accord with FOIA. Supervisor and/or Internal Audit review of University telephone system local or long- distance call records. Electronic communications or files that have been inadvertently exposed to technical staff who are operating in good faith to resolve technical problems. When technical staff inadvertently discovers potentially illegal content in communications or files, they are required to report it. Otherwise, the University expects technical staff to treat inadvertently encountered electronic communications and files of users as confidential. Routine administrative functions, such as security tests to maintain and/or verify the security and/or integrity and/or availability of the University’s IT resources, e.g., password testing to identify guessable passwords, investigations of attempted access into systems by unauthorized persons, or email scanning for malware. See policy IRM-004, Information Security of University Technology Resources for additional details. Officially sanctioned research projects or projects authorized by the University to be conducted under a data use agreement that limits the disclosure of protected information. To the extent permitted by law, the University may disclose, to an alleged victim of any crime of violence (as that term is defined in section 16 of title 18, United States Code), the results of any disciplinary proceeding conducted by the University against the alleged perpetrator of such crime with respect to such crime. 1. I.