Security, Policy, Access to employee's email/files/folders by someone other than employee

Explanation of policy and procedures to access another person's email/files/folders.

Summary:

Units may not have access to an employee's email, files, or folders without proper authorization.  If the employee is able to give consent, this is the easiest method. The employee should send an email to the supervisor, or somehow put the permission in writing. In instances where an employee is unable to give consent, units must fill out the appropriate authorization form and get the appropriate approvals, as described below.

The Request for Access form is located at this link: https://go.illinois.edu/request-for-access-form

Any questions not answered in this article should be directed to security@illinois.edu.

Full Article:

When an employee is unavailable (out sick, no longer employed at the university, passed away, etc), there are unfortunately sometimes important business-related documents or other information in the employee's personal email, files, or folders. In that case, unit personnel will often request access to information that may be needed to continue the campus business that employee was working on.

It is important to recognize that for privacy reasons, campus policy requires an approval process to be followed before any IT Pro or other personnel with administrative access are permitted to provide such access to anyone other than the employee whose user account is named as the "owner" of those items. This includes gaining access to email, files, databases, or folders, as well as setting an out-of-office message on that person's account.

Who owns an employee's files and email

By policy, beyond the copyright privileges granted to faculty and students, as employees of a state agency, the University owns an employee's files and email.

Except as otherwise specified in this article, or by the University in writing, intellectual property shall belong to the University if made:

  1. by a University employee as a result of the employee's duties, or
  2. through the use by any person, including a University employee, of University resources such as facilities, equipment, funds, or funds under the control of or administered by the University.

--University of Illinois Board of Trustees General Rules, Article III, Section 5 "Other Intellectual Property"
https://www.bot.uillinois.edu/governance/general_rules

However, while the university owns the data and the privacy of an employee's email and files is not a right nor guaranteed, campus policy also provides certain privacy protections for an employee's email, files, and folders.

Campus Policy

It is a violation of campus policy for unit personnel, including unit heads, to ask or instruct any individual to retrieve another person's data, or give any other person access to that data without the express consent of the authorized campus administrative officer.

Unless required by law or by authorized administrative approval to do otherwise, campus and unit-level administrators will not examine the contents of electronic messages or files, and will make every reasonable effort to protect them from unauthorized inspection.

-Campus Administrative Manual, fo-07 (APPROPRIATE USE OF COMPUTERS AND NETWORK SYSTEMS), Section 6.b
"Examination of Contents of Electronic Messages and Files"

https://cam.illinois.edu/policies/fo-07/#6b

What is "unauthorized inspection"?

No individual may access another person's email, files, or folders without the express consent of the campus Chief Information Officer (CIO). The campus CIO, in turn, has designated the campus Chief Privacy and Security Officer as the individual responsible for approving access to another person's data.

It is understood that a system administrator may have incidental access to such data in the course of their daily duties, but the access may not be made for the purpose of discerning content or transferring access to content, or the content itself, to others without the express approval of the designated campus authority.

 

What is the process for obtaining approval to access a person's data when they are unable to provide consent?

Fill out a Request for Access form at this location: https://go.illinois.edu/request-for-access-form.

NOTE: The form will require the approval of both the head of the requesting department, as well as the unit's executive officer (Dean of College or equivalent). These two individuals will receive an email and will be required to click an "Approve" button in TDX to finalize the request, before it goes on to the Chief Privacy and Security Officer for approval.

The request will be approved only if ALL the following conditions are met:

  1. The request was approved by both a director or department head and their Dean-level executive of the relevant unit.
  2. The reason for disclosure serves a legitimate university purpose.
  3. The disclosure is not invasive of the employee's privacy interests in light of alternative ways to achieve the same purpose.
  4. The nature and scope of the disclosure is submitted in writing and approved by the campus CIO (or his/her designee).

NOTE: Out-of-office replies can also be put on a mailbox if necessary. There is a different form for requesting that, see this KB article: https://answers.uillinois.edu/illinois/129917

What if I am concerned the files will be altered or deleted while the request is under review?

IT Pros may take steps to preserve the data in question, such as by creating a backup of the material, but the privacy of the data must be maintained until the request is approved. Inspecting or allowing inspection of the data prior to formal approval being received is prohibited. 

-Campus Administrative Manual, fo-07 (APPROPRIATE USE OF COMPUTERS AND NETWORK SYSTEMS), Section 6.c.ii
"Process for Requesting Disclosure of Contents of Messages and Files"
https://cam.illinois.edu/policies/fo-07/

What happens after the request is approved?

The approval to access the needed data pertains only to the data which the requester specified was needed--it is not a blanket approval to inspect a person's email, files, and folders.

A disinterested third party (an individual, often an IT Pro, who is not the requester and is also not an acquaintance of the employee who "owns" the material) will need to be appointed to go through the material to determine which content meets the scope of the request, and may be disclosed to the requester. Any personal items or other data not relevant to the department's need will be removed. Only after this work is complete will the material be turned over to the requester.

 

Related Questions

If an employee's data is urgently needed for business reasons, and they are sick, on vacation, or otherwise unavailable, is it acceptable for the employee's supervisor to get access to the material without going through the approval process outlined above?

No. The approval process remains the same.

If the employee is able to log in--remotely or otherwise--and change the permissions on the material to give access to others, that is acceptable.  The employee who "owns" the material may also give permission for a system administrator to give access to others. This should be in writing such as an email, in case there is a question later as to whether policy was followed. 

 

What about former employees--do we still need to maintain privacy for a person who no longer works at the university?

Yes.  This applies whether the employee leaves the university or just transfers to a different department.  The process is exactly the same; unless you can get the person's permission for others to access their data, you must go through the approval process.

What can we do to help avoid having to go through the approval process?

  1. Because of the business process disruptions that can occur when the person who "owns" a document is not available, we urge units not to allow employees to keep work documents in personal folders on their work stations, but rather on a file share or other storage that others have access to, to minimize the disruption of business functions when an employee departs or is temporarily unavailable.

  2. We also discourage units from directing a unit email intake address (e.g. "department@illinois.edu") to a single person's email.  Rather, direct the email to a distribution group so that more than one person receives the unit's inbound email.

  3. Modify your exit procedures so that when a person leaves the unit (whether leaving the department or the university), they acknowledge that they were given opportunity to remove personal information from their email, files, and folders, and give written permission for responsible parties to access their personal folders on their unit workstation to retrieve materials.  Arrange to receive from the departing employee copies of emails and files pertinent to the unit's operations.

 

What happens to the data of deceased individuals?

Please see this KB article: https://answers.uillinois.edu/illinois/75376. Note that the approval process for a department requesting access to the data of a deceased individual is the same as the process for an individual who is unavailable for any other reason.

How is intellectual property handled?

There are sometimes patent and/or copyright questions regarding materials left behind by faculty and other researchers. There are often collaborators who request access to materials when a faculty member dies or is otherwise incapacitated. In many case it is not clear who owns the materials--the faculty member's family, or the collaborator(s), or the university.  When a request of this type is presented, the university Office of Technology Management (OTM) is brought in to review the non-personal business-related materials, and detangle the copyright and related intellectual property issues.