Skip to main content.

Guidance on Monitoring of Employee Electronic Communications or Files

General

The University intends that authorization for non-law-enforcement University personnel to monitor or review electronic communications or files of employees, including faculty and staff, will not be granted casually. Such authorization will require justification based (a) on business needs or (b) on sufficient cause from reasonably substantiated allegations of violation of law or policy on the part of the faculty or staff member. Authorization may be granted by the University President or the Vice President for Strategy and Policy.

Business Needs

Examples of business needs include but are not limited to :

  • the need to have access to the e-mail of an employee who is unexpectedly unavailable and who is conducting time-sensitive negotiations with an outside entity -- negotiations of sufficient importance to justify review of the employee's electronic communications and files when that employee is unable to give consent for that review
  • an urgent and sufficiently serious issue of health or safety.

Often it will be desirable for the University to exercise diligence in enlisting the help of the employee to extract the business materials and in considering other steps to respect the personal nature of any other materials present if that help is unavailable. Such steps may include the use of an independent confidential reviewer -- a person on the University staff who does not have supervisory or management responsibilities for the employee whose materials are being reviewed -- to extract the business materials.

Investigations of Violations of Law or Policy

Requests for authorization to monitor or review electronic communications or files because of allegations of violations of policy or law by faculty or staff members usually originate with supervisors. They may also originate with a University investigatory authority (looking into a sexual harassment claim, for example). The President or the Vice President for Strategy and Policy, when asked to consider authorization for monitoring or reviewing the electronic communications or files of an employee, must use his or her judgment in determining if there is sufficient reason to grant such authorization. In these situations, the President and the Vice President for Strategy and Policy will maintain confidentiality and will consult with the Office of the Attorney General if needed in determining whether to authorize monitoring or review and in determining if the affected employee or anyone else should be notified that the monitoring or review is taking place. [See related information in "How Investigations Work" section of the IT Security Incident Response Plan.]

Circumstances Not Requiring Authorization

Most security tests of computing systems do not constitute monitoring or review of employee electronic communications or files. Consequently, presidential authorization (or that of the Vice President for Strategy and Policy) is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords its employees select. In no case, of course, should employees reveal their passwords to anyone, including their system administrators. This testing is aimed at revealing weak or "guessable" passwords, and the appropriate action in responding to identification of a weak password is for the employee to change it immediately.

Similarly, presidential authorization (or that of the Vice President for Strategy and Policy) is not required for appropriate University staff to review attempted access of its systems by persons (employees or others) not authorized to use them.

Presidential authorization (or that of the Vice President for Strategy and Policy) is also not required for review by appropriate University staff of records of the numbers employees call using the University's long-distance telephone system. Such reviews may be routinely conducted as part of departmental management reviews or Internal Audit reviews.

[Adapted from similar materials
at the University of Virginia]