83 SPEC Kit 360: Learning Analytics INDIANA UNIVERSITY BLOOMINGTON Privacy of Electronic Information and Information Technology Resources https://policies.iu.edu/policies/it-07-privacy-it-resources/index.html Indiana University Policy: Privacy of Electronic Information and Information Technology Resources IT-07 This PDF created on: 10/02/2017 2 This policy covers: Data and other files, including electronic mail and voice mail, stored on, encrypted on, or in transit to or from individual computer or voice mail accounts on: University-owned systems/devices, or systems/devices managed by the university on behalf of affiliated organizations (e.g. Indiana University Foundation or Indiana University Alumni Association) University-owned computers assigned to a specific individual or group for use in support of job functions University data and other university files on personally owned devices Telecommunications (voice and data) traffic from, to, or between any devices described above or connected to the Indiana University technology infrastructure. 1. Access by technicians and administrators that requires authorization A technician or administrator may access or permit access to specific information technology resources and electronic information as defined in this policy, in any of the following circumstances, if the technician or administrator: 1. a. Permission Granted by Owner - receives a written authorization from the individual to whom the account or device or communication has been assigned or attributed or b. Violations of Law or Policy - receives a written authorization from the appropriate campus Chancellor, Provost, Human Resources Director, or Dean of Students (or equivalent) for situations where there is reasonable belief that the individual to whom the account or device is assigned or owned has engaged, is engaging, or imminently intends to engage, in illegal activities or violations of university policy using the account or device in question or c. Critical Operational Necessity - receives a written authorization from the senior executive officer of a department for situations in which retrieving the material is critical to the operation of the department and when the account holder is deceased, terminated, incapacitated, unavailable, or unwilling to provide access or d. Deceased or Incapacitated Individual - receives a written authorization from the senior executive officer of a department or school who has consulted with the campus Human Resources Director, Vice Provost or Vice Chancellor of Faculty & Academic Affairs (or campus equivalent), or Dean of Students to provide access to a lawful representative (e.g., spouse, parent, executor, holder of power of attorney) of a deceased or incapacitated employee, faculty member, or student or e. Internal Audit Need - receives a directive from the Director of Internal Audit for information relating to specific audits or investigations or f. Response to Lawful Demand - receives authorization from the Office of General Counsel confirming that access is required under the terms of a valid subpoena, warrant, other legal order, or contract, or an applicable law, regulation, or university policy or g. Substantial University Risk receives an authorization (written, or verbal with written confirmation) from the appropriate campus Chancellor, Provost, Vice President, or equivalent approving access after concluding that access is needed to address an emergency or to avoid or minimize exposure of the university to substantial risk of harm or liability h. Institutionally Approved Research receives written authorization approving access from the Institutional Review Board, any other applicable research administrative office(s), and/or the Office of General Counsel after concluding that such access is needed in support of an institutionally approved research project and the access complies with applicable laws and University policies, including rules governing the protection of human research subjects. 2. Notification A technician or administrator accessing information covered by this policy shall make reasonable efforts to report such access to the affected individual prior to that access, except:
Previous Page Next Page