Summary: Procedure for requesting copies of or access changes to digital assets.

This is the proper procedure to be used by all university officials to obtain university digital files, or change ownership of university online resources; where shared access is not established.

For official use only.

Quick Notes:

• Final authorization must be granted by the Office of the CIO or its delegate(s) to proceed.

• A better alternative to this procedure: have the requesting officials attempt to get the person who controls such files to officially grant access.

• Requesters must complete and submit the request form: https://go.illinois.edu/request-for-access-form

• Any questions not answered in this article should be directed to security@illinois.edu.

• Process not for emergency access. If you are UIPD and this is an exigent/emergency circumstance, dial security on-call: 265-0000, option 3. 

Full Article:

The procedure:

1) Complete a request form and submit: https://go.illinois.edu/request-for-access-form.

Needed for the request:

• • Scope/specifics of request
    
    • Note: Be precise about what materials will satisfy your business justification (below).
      • If items might be identified by using certain subject or object keyword searches, state which keywords.
      • Broad scopes such as "all files: entire storage" or "all email" not matching a stated business justification may be sent back at the evaluation step for clarification.
      • Review "approval conditions" listed in step #4, Approval, below
  • Business justification
    • Typical examples:
      • University business continuity
      • Recovery of critical research/research admin data

1. • Two(2) unit executives must countersign the request. At minimum, this will be:
     • An executive director and;
     • An executive (usually the person to whom that executive director reports)
       
       • Typical examples:
         • Department Head/Dean
         • Executive Director/AVP
         • Executive Director/C-level executive
         • Executive Director/Senior Executive Director
         • Program head/Dean
         • Executive Director/Vice Provost

2) Finalize executive request (via email):

• • After submission, both countersigning execs will receive an email
  • To finalize the request, both must click "Approve", a button in TDX.

3) CISO (or designée) Evaluates approval

• Any needed clarification steps may happen here and/or discussion of scope

4) Approval

• The request will be approved if all the following conditions are satisfied:

1. 1. The request was approved by both a director or department head and their Dean-level executive of the relevant unit.
   2. The reason for disclosure serves a legitimate university purpose.
   3. The disclosure is not invasive of an employee's privacy interests in light of alternative ways to achieve the same purpose.
   4. The nature and scope of the disclosure is submitted in writing and approved by the campus CIO (or designée).

Related Policies & Procedures

https://cam.illinois.edu/policies/fo-07/ University of Illinois at Urbana-Champaign Campus Administration Manual; Appropriate Use of Information and Technology

https://answers.uillinois.edu/illinois/129917 Departed/unavailable employee: Set automatic replies ("out-of-office" reply) for a university mailbox.

https://answers.uillinois.edu/illinois/75376 Deceased university employee data requests

FAQ

Why is this necessary?

This process may override access intent (suggested or explicit) set upon university-owned information or digital assets. These are things where no shared access was granted (whether intentional or otherwise) by another university official. If the university discovers an official need, but has no access, it must follow this process to gain official approval from the Office of the CIO before executing access changes or inspecting contents.This includes accessing email, laptops, files, databases, or folders; making copies of files after gaining access; changing permissions to recover official communications or services; or setting an out-of-office message for someone's account.

Can I use this procedure to gain login access to someone's account?

No.

It is impermissible to "impersonate" another person's identity or do so by logging in as them. When authorized access is performed, it will be done as another authorized party, and logged accordingly.

What if I am concerned the files will be altered or deleted while the request is under review?

The university may take immediate, positive steps to preserve any data while this approval procedure is carried out, such as by creating backup archives. However, inspection or use of any such data is prohibited until official authorization is received.

If university data is urgently needed for business reasons, and the controlling employee is unavailable, is it acceptable for the employee's unit to access data without going through the approval process outlined above?

No. 

If the employee is able to log in--remotely or otherwise--and change the permissions on the material to give access to others, that is also acceptable. 

The employee who controls access to the material may also grant access or give written permission for a system administrator to change access rules, granting access. Any permission should be in writing such as an official email, so that it is demonstrable by all sides that the procedure was followed.  

You may however take immediate, positive steps to preserve any data while this approval procedure is carried out, such as by creating backup archives. However, inspection or use of any such data is prohibited until official authorization is received.

What about former employees--do we still need to use this process for a person who no longer works at the university?

Yes. 

This applies whether the employee leaves the university or just transfers to a different department.  The process is the same unless permission can be obtained, in writing, by the controlling person to access the data.

This is a lot of avoidable overhead. What are the best things to do to avoid it?

1. For all university work products and services, assign group or multiple colleague access permissions. Because business process disruptions can occur when that one person who controls important digital content becomes unavailable.
   

2. Discourage strongly faculty, staff, and other employees or contractors from keeping work documents in personal folders, email, thumb drives, or personal cloud storage. Not only does that make them hard (and at times, impossible) to recover if the need arises, it can become a big security problem. Break everyone of the habit. Use a file share or other approved shared storage such as departmental file shares, Box, or OneDrive.

3. Do not redirect your official email address (e.g. "department@illinois.edu") to anyone's personal email address. Rather, direct the email to a distribution group so that more than one person receives the unit's inbound email. That way, if one admin becomes suddenly unavailable, the business of the university may continue with not much ado.
   

4. Beef up employee off-boarding procedures such that when faculty and staff depart (whether leaving the department or the university), they provide written permission for responsible parties to to retrieve official materials from university computers, storage devices, file stores, or any other official digital assets. Arrange to collect from the departing employee any copies of emails and files pertinent to university and unit business.
   

What happens after a request is approved where the approved scope of assets are mixed in with a bunch of other stuff?

For example, if the scope is "research files related to grant X" on a hard drive full of many other files.

In such instances where files are not easily segregated, the requesting unit must:

• • Designate a disinterested third party to sort through the materials. This individual must then:

    • Remove data not relevant to the stated scope.
      

    • Remove personal files
      

    • Package and deliver in-scope material is transferred to new media and turned over to the requester.

    • Arrange secure-private storage for or secure disposal of the original media.

What happens to the data of deceased individuals?

Please see this KB article: https://answers.uillinois.edu/illinois/75376. Note that the approval process for a department requesting access to the data of a deceased individual is the same as the process for an individual who is unavailable for any other reason.

Can someone who is not a university official use this process?

No.

All requests must be countersigned in approval by 2 university executives. External obligations are stewarded still by university executive sponsorship, and shepherded though this process, even Law enforcement requests (must go through University Legal Counsel, unless there are clear, exigent life-safety circumstances)

Can I use this process to access personal or student information?

In general, no.

There is an exception however: Office of the CIO will assist University Legal Counsel when facilitating production of responsive information demanded within subpoenas, warrants, or other similar legal requirements. 

How is intellectual property handled?

There are sometimes patent and/or copyright questions regarding materials left behind by faculty and other researchers. There are often collaborators who request access to materials when a faculty member dies or is otherwise incapacitated. In many case it is not clear who owns the materials--the faculty member's family, or the collaborator(s), or the university.  When a request of this type is presented, the university Office of Technology Management (OTM) is brought in to review the non-personal business-related materials, and detangle the copyright and related intellectual property issues.