Responsible Use Policy - FAQ #4 - Privacy Issues
- What reasonable expectations of privacy should I have when accessing or using University IT resources?
- Should my expectations of privacy differ if I'm a student, faculty or staff member?
- Who is authorized to access files, including e-mail, that may be created and stored on University computers by an individual student, faculty or staff member? Under what circumstances might such files be accessed without the user's permission or knowledge?
- How and when do the Freedom of Information Act and California Public Records Act apply to user files, including e-mail, stored on University computers?
- The University reserves the right to "monitor" systems. What is meant by the term "monitor"? Under what circumstances is monitoring likely to occur? Who is authorized to perform such monitoring?
- If a suspected violation is detected as the result of routine monitoring, who will be notified and what is the process or procedure for notifying the user?
- If I'm engaged in research, collective bargaining, or other sensitive job-related activities that require me to access, create, transmit and/or use computer data or files, how can I ensure that such materials remain confidential when using University IT resources?
- Does the restriction on individualized monitoring prohibit a supervisor or co-worker from accessing an employee's computer files for work-related purposes?
- Why doesn't the policy prohibit all personal use of University computing resources? Why doesn't the policy permit unrestricted personal use of University computing resources?
- Does the restriction on use of University computing resources for commercial, personal financial or other gain prohibit faculty from using such resources in connection with their consulting work?
- How does the policy apply to personal viewing or transmittal of sexually explicit and other potentially offensive materials?
- How will I know if my personal information residing on University servers has been or may have been disclosed to an unauthorized person?
As a user, you can reasonably expect any file you create to be considered private to the greatest extent possible while under University control. However, because these are taxpayer funded resources, you should be aware that the California Public Records Act and other similar laws make it impossible for the University to guarantee complete protection of an individual's personal electronic communications residing on University facilities. Any file stored on University resources may be subject to disclosure under these laws or as the result of litigation. In addition, the materials you create may be stored for some period of time in system backups, which are also subject to disclosure and may contain files or messages you thought were deleted. Confidentiality may also be compromised by unintended redistribution by recipients or by inadequacy of current technologies to protect against unauthorized access by others. Therefore, users should exercise extreme caution in using University or any other electronic communications to transmit confidential or sensitive matters.
2. Should my expectations of privacy differ if I'm a student, faculty or staff member?
All users are treated the same under the RUP. However, employees need to be aware that, as employees, their privacy may differ from that of students. If Academic Personnel or the appropriate HR office authorizes access to an employee's files or account to a supervisor or some other authorized entity, Information Services would be obligated to provide such access. Cal Poly also must honor any valid court order or search warrant to the boundaries described within them. NOTE: Access to accounts is not provided by supervisor request alone. All such requests must be channeled through the appropriate HR office to ensure their validity.
Generally a court order or other legally sufficient request would be required to access a user's files without their permission or knowledge. However, for employees, the appropriate HR office can authorize access under certain circumstances, such as early termination, extended leave, or an official University investigation. Such access may be granted to law enforcement, University legal counsel, HR or other appropriate campus officials, but will not be performed by IT staff directly unless required to do so and in the presence of the appropriate authority to whom access has been given.
While IT staff may monitor transaction logs, scan for known security problems, or view file names or types to identify the source of a specific problem, they will not review the contents of specific files or messages without permission from the user or being directed to do so by law enforcement or the appropriate campus official unless absolutely necessary to preserve system integrity, maintain a critical service, or resolve a problem.
The Freedom of Information Act applies to Federal government files, and would likely not apply to content stored on Cal Poly computers unless the content involves the use of Federal funds. The California Public Records Act, with very limited exceptions, requires State agencies to disclose public records when requested to do so under this Act. If electronic materials created by individual students, faculty and staff constitute a public record, other than several narrowly defined categories, the University is obligated to disclose such information in response to a valid request. Records arising from personal use may be difficult to distinguish from public records, and such records may be subject to inspection or disclosure under the Act. Users should assess the implications of this presumption in their decision to use University resources.
"Monitoring" in this context means looking at the system in general to identify potential trouble spots, e.g., programs running for excessive amounts of time, excessive use of disk space or network bandwidth, watching system logs for known problems such as port scans, using existing tools to search for known security problems, such as phishing, suspected malware, etc. Such monitoring is routinely performed by the system/network administrator, who may be staff, faculty or student assistant, depending on the department.
ITS does not intentionally monitor the content of individual files unless doing so can help resolve a problem, e.g., it may be necessary to review the message headers to solve a mail loop problem or to forward an undelivered message to the proper recipient. ITS will make every effort to notify the user whose account is affected and obtain their permission before acting, but may act without permission if necessary to prevent further damage, ensure system integrity and minimize the impact on other users.
Finally, if it appears the user's actions may have violated the policy, the system/network administrator will notify the Vice Provost/Chief Information Office in accordance with the policy.
This would depend on the nature and severity of the violation. The policy requires that the Vice Provost/Chief Information Officer be notified. For the least serious violations, Information Services will try to work with the user to informally resolve the matter. The user would be asked to stop what they are doing and explain their actions if necessary. For more serious and repeated violations, Information Services will refer the matter to the appropriate campus office for resolution under existing disciplinary/grievance processes and the user would be notified in accordance with the standard practices of those offices. Suspected criminal violations may be referred to the appropriate law enforcement agency, but only after consulting with the University's legal counsel.
Since the University cannot guarantee that a user's files will remain private (see Q#1 above) and any system can be cracked by someone with the skill and intent to do so, keeping such material off of public, shared or personal IT resources whenever possible is the only way to ensure that they remain confidential. Encryption, dual authentication, isolated/secure networks and servers, and secured drives are methods users can employ to better protect the confidentiality of such files. Disclosure of confidential information to unauthorized persons or entities, or the use of such information for self-interest or advantage, is prohibited under the policy, and IT staff and individual users will be held accountable for their actions under these rules. This includes disclosure to law enforcement personnel without a valid court order.
To the extent that a computer or shared file server serves as the functional equivalent of a desk drawer or file cabinet, supervisors and co-workers continue to have the same access to it for normal, work-related business purposes as they always have, e.g., retrieving a file or document needed while the employee who maintains the file or document is away from the office. However, the term "monitoring" here refers to network and system monitoring by the responsible IT administrator. Such routine monitoring is essential to properly administer and maintain IT systems. It may also be used to investigate actual or suspected misconduct and/or misuse of IT resources. Such action would require advance approval from the HR office responsible for the employee and/or a legal order, and cannot be initiated solely by a supervisor. However, evidence discovered in the course of routine monitoring and/or normal work-related activity may be used as a basis for seeking such authorization. Such evidence should be reported to the Vice Provost/Chief Information Officer to determine if a violation has occurred before any further action is taken.
Like other State taxpayer supported resources, the University's IT resources are intended to be used by students, faculty and staff to conduct university-related business. Recognizing the difficulty in drawing a line between personal and university-related uses, the minimal costs typically associated with occasional personal use, the typically inordinate costs associated with attempting to enforce a flat prohibition, and the benefits that may accrue to the University, State law permits "incidental" personal use of such resources. However, "incidental" uses are defined as uses that do not consume a significant amount of those resources, do not interfere with the performance of one's job or other university responsibilities, are not made for personal commercial purposes or personal financial or other gain, are non political, and otherwise comply with applicable laws, rules, policies, contracts and licenses. The policy allows individual departments and/or administrative units to impose additional use restrictions on or prohibit all personal use of the university provided computing resources under their control.
Use of university IT resources in connection with consulting work is subject to the same requirements and limitations as use of any other university resource. Such use must be approved in advance by the University and adequately compensate the University for the use of its resources. Use of university IT resources in connection with consulting that has not been approved is prohibited, even when done voluntarily by the user for an outside entity as a public service, e.g., Red Cross, Sierra Club, etc. Such use is inappropriate since the outside entity benefits from the use of State taxpayer supported resources and the value derived by the State may be minimal, if anything at all.
As a public institution of higher education, Cal Poly is committed to fostering an educational climate in which students, faculty and staff can approach their respective roles with a sense of high purpose and in which they may study and work free from harassment and intimidation. The University's Responsible Use Policy for Information Technologies (RUP) recognizes that personal viewing or transmittal of potentially offensive digital materials (for example, sexually explicit materials) may result in excessive use of campus computer and network resources inconsistent with professional responsibilities and ethical standards. Such practices may also result in educational and work environments that are hostile or are perceived to be hostile. In consequence, all members of the campus community are advised that the University does not condone and will not tolerate any such actions that are proven to constitute excessive use, to create a hostile work environment, or to have the effect of harassing or intimidating members of the campus community. In addition, any viewing or transmitting of illegal materials (for example, child pornography or obscene materials) is explicitly prohibited. The University also emphasizes that its policies are not aimed to impair free expression and open inquiry or unduly to restrict access to any lawful digital materials by those who would do so within the guidelines of the RUP. [Paul J. Zingg, Provost and Vice President for Academic Affairs, April 11, 2003]
Under California law, Cal Poly is required to notify, in writing, California residents whose unencrypted personal information has been, or may have been, acquired by unauthorized persons due to a breach of security on a campus computing system. Cal Poly has policies and practices in place to ensure that (a) campus systems and confidential data are secured and (b) employees and other users with access to personal information are aware of their roles and responsibilities in protecting confidential information from disclosure. However, should the University uncover a security breach involving a campus system with unencrypted personal information, Cal Poly will notify all affected individuals (not just California residents) using procedures outlined in Appendix D, Policy Implementation and Practices.