98 Institution Privacy Policies UNIVERSITY OF VIRGINIA IRM-012: Privacy and Confidentiality of University Information http://uvapolicy.virginia.edu/policy/IRM-012 Monitoring and/or Access Requiring Official University Review and Approval: Circumstances where monitoring and/or access requires official University review and approval by an authorizing official who is the President or the relevant vice president (or delegate) responsible for the affected user (e.g., employee or student): Business continuity of the University to proceed [e.g., access to data associated with a user (e.g., employee) who has been terminated, separated, is pending termination or separation, is deceased, is on extended sick leave, or is otherwise unavailable]. An inquiry, assessment, or investigation into violation(s) of law or policy, or in response to potential or actual litigation. Requests for electronically stored information (ESI) from members of the University's Honor Committee or Judiciary Committee, the Title IX Coordinator and/or designee acting under the University's Policy on Sexual and Gender-Based Harassment and Other Forms of Interpersonal Violence, or faculty conducting individual student- academic-issue investigations. Emergency situations involving a potential threat of harm to persons or property as determined by an authorizing official who is the President or the relevant vice president (or delegate) in consultation with University Counsel. Those units of the University that engage in routine monitoring or examination of employee(s) electronic communications or files as part of the work environment must inform the affected employee(s) in advance, via a written communication (e.g., policy statement) that such monitoring or examination will be taking place. 2. Accessing Electronically Stored Information of a Deceased Person: The University will not grant access to data from a deceased user’s electronically stored information in the custody of the University without the prior written consent of the deceased individual concerned or unless allowed or required by law or legal requests [e.g., Freedom of Information Act (FOIA), Uniform Fiduciary Access to Digital Assets Act (UFADA)]. 3. Compliance with Policy: Any misuse of data or IT resources may result in limitation or revocation of access to University IT resources. In addition, failure to comply with requirements of this policy and/or its standards may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies, and may also violate federal, state, or local laws. Questions about this policy should be directed to the Contact Office. II. Procedures: Privacy and Confidentiality Standards and Procedures Standards Procedures ESI Release ESI Release Exceptions Responsible Computing Handbook for Faculty and Staff Related Information: See related Guidance for Vice Presidents on Policy on Monitoring/Review of Employee Electronic Communications or Files document The Commonwealth of Virginia Human Resource Policy 1.75 Commonwealth of Virginia Freedom of Information Act (FOIA) Stored Wire and Electronic Communications And Transactional Records Access