A. Complaint Filing
- Complaints may be filed via e-mail (firstname.lastname@example.org), telephone (805.756.7000), in writing, in person, or internally through routine monitoring and detection of a system/network problem or unusual event.
- Complaints must be filed by the individual who was harmed or by the administrator of the network/system that was harmed by the use. Cal Poly will respond to requests for assistance from law enforcement accompanied by a court order, subpoena or search warrant.
- Cal Poly will act on anonymous and third party complaints only in the event of a health and safety issue. Otherwise, the individual who has been harmed will be contacted and asked to file a formal complaint.
- Suspected infractions occurring on external or departmental systems should be reported to the administrator responsible for the system or network. A copy should be sent to email@example.com for tracking.
- System and network administrators, supervisors or offices receiving a complaint or discovering a possible violation should notify firstname.lastname@example.org.
- Information Services (IS) may also be contacted to report infractions when the complainant is unable, or it is not desirable, to do so through other channels.
B. Complaint Review and Investigation
- The Vice Provost/Chief Information Officer or designee reviews each complaint to initially determine whether a potential policy or legal violation has occurred based on the evidence provided.
- If not, the complainant is notified in writing as to why it does not constitute a violation and the incident will be closed.
- If yes, but additional information is needed, the complainant will be asked to provide it, e.g., system logs, e-mail headers, etc.
- If yes, but the violation does not involve University resources, the complainant will be advised on what if any action they can take.
- If the complainant fails to produce enough evidence to make a determination, they will be notified and the incident will be closed and filed for future reference.
- If it appears a violation has occurred and sufficient evidence has been gathered, IS will make an initial determination as to what happened, where it happened, and who initiated the activity. A trouble ticket will be created for each unique event to track and record the incident investigation and resolution.
- If the event occurs on a centrally-managed system, IS will investigate further and seek informal or formal resolution.
- If the event occurs on a decentralized system, IS will refer it to the appropriate system administrator to investigate and report back on any findings and actions taken. IS may elect to take further action based on those reports. IS may recommend preventative measures to avoid future violations.
- If the event involves a breach of system security in which any individual's unencrypted personal information was, or is reasonably believed to have been, disclosed to an unauthorized person, the breach should be reported immediately to Information Services, the campus Information Security Office, and the appropriate "user owner" as specified in Section E below.
- A serious incident may result in simultaneous investigations and actions by ITS, non-ITS system/network administrators (e.g., ResNet), and law enforcement.
- Marketing and Communications will be contacted to represent the University if the matter requires interaction with the public, media or other outside interests.
- Information Services will assist University officials with securing and interpreting evidence and conducting investigations when requested or legally required to do so.
C. Informal Resolution
- Once it has been determined that a violation has occurred and the nature of the violation is known, the Vice Provost/Chief Information Officer or designee will contact the alleged violator by e-mail, phone or in-person to informally resolve the complaint.
- The individual will be advised of the nature of the complaint and the evidence collected and asked to provide an explanation.
- If the individual does not appear to be responsible (e.g., a third party misused their account), they will be counseled on how to prevent future occurrences of the specific problem and the investigation will continue.
- If a Cal Poly community member is responsible but the violation appears to be accidental or unintentional on their part, the user will be counseled on how to prevent future occurrences of the specific problem.
- If they have no history of prior violations, they will generally be given a warning and advised that future violations will result in formal action.
- Individuals with a prior history of violations or involved in a serious violation will be referred to the appropriate campus authority for formal action and resolution.
D. Formal Resolution
- Formal actions, including disciplinary hearings, imposition of sanctions, and appeals will be handled through existing disciplinary/grievance processes for Cal Poly students, faculty and staff.
- Information Services will refer such incidents to the designated campus authority:
- Students will be referred to the Office of Student Rights and Responsibilities
- Staff will be referred to the appropriate Human Resources department (State, ASI, or Corporation)
- Faculty will be referred to Academic Personnel
- It will be the VP/CIO or designee's role and responsibility to advise and counsel the appropriate disciplinary authorities regarding the nature of the violation and its impact on campus resources, policy and practices, and to assist them in determining the seriousness of the offense if necessary.
- The following individuals may also be contacted: sponsor, advisor, supervisor, department head/chair, dean, and/or program administrator/manager.
- Matters involving misuse of institutional data will be referred to the campus Information Security Office.
- Potential legal violations and threats to individual health and safety will be referred to the Cal Poly University Police.
- Information Services may confer with University Legal Counsel to help determine if a legal violation has occurred before referring the matter to law enforcement officials.
- Based on their investigation, University Police may refer these to the local district attorney or the University for further action.
E. Notification of Disclosure of Personal Information
- Any Cal Poly student, faculty, staff, consultant, contractor or any other individual having access to personal information (as defined in Appendix A) maintained by the university shall immediately notify one or more of the following offices regarding any security breach in which an individual's unencrypted personal information has been, or is reasonably believed to have been, disclosed to an unauthorized person:
- Information Services - email@example.com - all disclosures
- Information Security Office - 805.756.5595 - (firstname.lastname@example.org) - all disclosures
- Academic Records - 805.756.2531 - disclosure of student information
- Human Resources (State) - 805.756.2236 - disclosure of State employee information (faculty and staff)
- Human Resources (ASI) - 805.756.1281 - disclosure of ASI employee information
- Human Resources (Corporation) - 805.756.1121 - disclosure of Corporation employee information
- Based on the nature of the suspected breach and classification of data involved, Cal Poly's Information Security Office (ISO) will notify the appropriate Cal Poly and CSU authorities in accordance with the Cal Poly Breach Notification Communication Plan.
- If Level 1 data was potentially disclosed, the ISO will work with the CSU Chancellor's Office and appropriate campus entities to notify the affected parties and external agencies, if applicable
- Affected individuals will be notified in writing, by email or other methods prescribed by California Civil Code 1798.29. While California law only requires notification of California residents, it is the practice of the University to notify all affected individuals.
- Notification will be based on contact information currently on file with the Registrar's Office (for students), applicable Human Resources offices (for employees), Alumni Services (for alumni), or other applicable office (for affiliates, etc.). A sample notification letter is available and will be provided by the campus Information Security Office as the need arises.
- Cal Poly units are responsible for notifying third parties (e.g., outside contractors, consultants, etc.) regarding this requirement for disclosure and for obtaining, in writing, their agreement to comply with campus confidentiality-security and responsible use policies and practices.
F. Final Disposition
- Information Services will notify the complainant as to the disposition of their complaint. This could range from advising as to why the matter does not constitute a violation to providing final notice that the matter has been resolved.
- Specific information about the individual involved will not be disclosed.
- Information Services will record each incident and its resolution to track recurring violations and repeat offenders and to inform future changes to the policy/practices.
- Information Services will implement technical sanctions imposed by the designated campus authority as a result of a formal disciplinary process or as required by law.
Return to RUP Table of Contents