Can I access my employees' computer data, email, or voice mail?
In order to promote free discourse and maintain the environment appropriate to a learning institution, and because the university does allow incidental personal use, university policies protect the right to privacy of computer data whenever possible. There are however, times when a legitimate need arises for which you as a supervisor require access to an employee's computer data:
- If you need access to proceed with work and the employee is unavailable to access the data for you, obtain written (email or paper) permission from the employee granting access to the content.
- If the employee can't grant permission (e.g., has been terminated, is deceased or incapacitated), get written permission from your department's senior executive officer.
- If you think the employee is engaged in illegal activities using university accounts or resources, or if you believe the individual is violating university policy, get written authorization from the appropriate campus chancellor.
- In an emergency situation where you believe processes active in an employee's account or on an employee's device can or is causing system degradation or damage to other data, a technician or administrator can permit immediate access.
- If the employee is involved in fiscal misconduct, you will need a directive from the Director of Internal Audit.
- For other legal matters, you may need a court order or other legal documents and further direction from University Counsel.
Unless it's inappropriate or impossible, you should notify the employee before you access the data. Otherwise, you should notify the employee as soon as possible after the access.
Without specific authorization, you may use system-generated, content-neutral information (i.e., system logs, login records, connection logs, network activity logs, email logs, and auditing logs) to:
- Monitor system and storage usage
- Troubleshoot
- Secure departmental systems
- Investigate technology abuse or misuse
- Support formal audits
When you contact a technician for access to an employee's data, that technician is required, where possible, to consult with the appropriate campus Chief Information Officer (CIO), who ensures that the appropriate authorization or permission has been granted. In doing so, the campus CIO is encouraged to consult with a university Information Technology Policy Officer, who can provide advice and policy interpretation to not only the CIOs, but also to you directly.
Tips
To ensure uninterrupted access to office communications, consider creating a departmental email account, which you can then publish as your contact point instead of publishing an individual's email account. Departmental account access can be assigned to different individuals depending on who is working at the time. Information about getting departmental accounts is available at http://kb.iu.edu/data/acyi.html.
To ensure uninterrupted access to shared data, you can name folders something generic, e.g., "Project X". Folders that are named with an employee's username or name are considered assigned to that user and require the authorization provisions above.
For access to email data that requires frequent sharing, consider using Folder Permissions or the Delegate feature in Microsoft Outlook. The owner of the account sets up the permissions or delegate access, thereby authorizing it. For instructions on how to do this within Outlook, see In Outlook for Windows, how do I allow other users to view my Calendar or other folders in my Exchange mailbox?
More Information
This information is based on the university's IT policy IT-07.
For consultation in handling particular situations (preferably before taking action), contact your campus human resources office (contact information is available at http://kb.iu.edu/data/akwe.html), your campus employee relations office (812-856-5572 at IU Bloomington, 317-274-8931 at IUPUI), and/or the University Information Policy Office (UIPO) for all campuses.
For instructions for sharing folders, visit http://kb.iu.edu/data/ahrs.html.
