3.8.12 Computing and Communications Confidentiality Policy Version 2.3
Approved by Academic Council on May 10, 2007
The University will treat all of its individual User information, User activity, and User communications as Confidential Information as defined in its Information Management Policy.
Note that the line above is University Institutional Policy and that what follows is University Operational Policy. Both are approved by the Information Strategy and Policy Committee (ISPC).
- Users should not assume they are anonymous or have absolute confidentiality.
Modem communications and computing systems may monitor, record or maintain certain User information (like directory information or files), User activity (like web sites visited) and User communications (like Email) as a normal part of their operation.
Authorized Security Administrators I Systems Administrators in the normal course of operations, maintenance or problem diagnosis may have access to User information, User activity and User communications.
As a result of this normal maintenance activity, information, activity or communications discovered to be in potential violation of University policy may be discovered. This information will be disclosed to the appropriate University official(s) and may ultimately result in investigation and/or corrective action (as defined under Enforcement).
- Users should be aware that backups and copies of information may exist and may be retained for indeterminate periods of time, regardless of whether that information is 'deleted' by the User
- The University will not routinely monitor User information, User activity or User communications.
However, the University reserves the right to investigate suspected violations of University Policies by monitoring or reviewing individual User information, User activity or User communications on any of its owned or provided systems.
Authorization for any such monitoring must be obtained in writing from both the Information Security Analyst (The Security Officer) and the Chief Information Officer. Such authorization will be done in concert with the appropriate University officials and/or University counsel.
In general, authorization will not be given for purposes relating simply to employee performance. For example, accusations of excessive web surfing are a management issue, not an issue sufficient to warrant monitoring. In addition, monitoring requests from non-University entities, including law enforcement, must additionally be cleared through University counsel.
Requests, in writing, by an individual to have their own information, activity and communications monitored can be honored by the appropriate system administrator and/or the Information Security Analyst.
- Emergency steps can be taken.
If in the judgment of the appropriate University officers or management, it is necessary to protect the integrity of its Computing and Communications Resources against unauthorized or improper usage, and to protect authorized Users from the effects of unauthorized or improper usage under the University's Acceptable Use Policy, or otherwise to protect the fiscal or management integrity of the institution, the University (through its Security Administrators) reserves the right to limit permanently or restrict any User activity, to inspect, copy, remove or otherwise alter any User information (on University owned or provides systems), to inspect, copy, or remove User communications (on University owned or provided systems) and to do so without notice to the User.
Emergency action on personally owned machines is limited to removal from the network unless the action is part of a legal process. As per the Sanctions (See Table of Contents) of these policies, in addition, technical action may be taken in emergency situations by authorized Information Technology staff, other corrective action, technical or non-technical, will be taken in accord with applicable University policies and procedures.
- Normal Human Resource and student judicial policies will be used for non-emergency cases of suspected policy violation.
Today, students, faculty and staff depend on information technology to perform their duties and meet expectations. If non-emergency IT policy infringement problems arise they must be resolved in a consistent manner and utilize established University investigative and disciplinary channels and procedures.
The CIO and Information Security Analyst (Security Officer) will work with the appropriate general University officials and appropriate School or administrative unit officials in these matters. The Security Analyst may also address this process with incident response procedures.
- IT staff will not take unilateral action outside an emergency.
The intent of the previous two paragraphs is to ensure that, except in an emergency, information technology staff members do not take unilateral action restricting User activity and/or action outside of established University processes.
An emergency situation occurs when the integrity or security of systems is at stake, when a User's usage is seriously impacting the usage of others, or when the University has been placed in a position of immediate harm to its image or immediate legal liability. Simply having the potential for these conditions may be grounds for prompt process, but does not constitute an emergency. If a question arises about whether a situation is or is not an emergency, the Information Security Analyst and/or the CIO should be consulted.
- Users should be aware that the University has no control over the content of information servers on the external Internet and does not routinely monitor inbound traffic for content.
Please be informed that some information on or from the Internet may be personally offensive and/or unsuitable for certain audiences. User discretion is advised.
- Users of "personal" computers, even if the University provides it, are responsible for insuring that their systems are properly backed up and that the information contained therein is appropriately safeguarded to maintain security, confidentiality and policy compliance.
Viruses, Trojan horses, worms, password breakers, packet observers, remote controllers and other malicious software may exist in the University electronic environment. Be aware that these programs may be dangerous and/or capable of compromising confidential information.
Take appropriate precautions including keeping anti-virus software up to date. In general, never run or access a program or received file unless the content is known in advance and the source is trusted.
- As part of keeping individual User information Confidential, the University will not disclose any confidential information to non-University third parties, except 1) in compliance with federal, state, and local laws and judicial process or 2) as required to conduct the operational business of the University.
In the latter case, the University may disclose information to third parties who are under contract to the University to provide a service. The University will ensure that contracts with third party vendors prohibit the release of University information to any entity not part of its contract and will maintain the confidentiality of University Information, including information on individuals.
- The information in computers not owned or provided by Pacific (so called Private computers as opposed to Institutional computers) is considered Private and Confidential.
The courts (a three Judge Panel of the U.S. Court of Appeals for the Ninth Circuit in San Francisco upheld an earlier decision of the U.S. District Court of the Northern District of California) have ruled that students have "a legitimate, objectively reasonable privacy expectation" concerning data on their computers even though it may be connected to a University network.
By extension, Pacific employees, whose authorized jobs involve computer maintenance and security, must gain documented permission from the owner before accessing not just student computers, but any privately owned machine.
Note: Users are responsible for maintaining proper back-ups of their data, including, but not limited to, data files, applications, license keys and documentation. Although a rare occurrence, University service personnel are not responsible for any loss of data that may occur as a result owner authorized activities. This is to be documented as part of the permission process (above).
- The information in computers owned or provided by Pacific (so called Institutional computers as opposed to Private computers) is considered Confidential, but not Private.
Pacific employees, whose authorized jobs involve computer maintenance and security, are not required to gain permission from its steward or User (or their designee) before accessing any institutional machine for normal maintenance and security purposes.
At Pacific, except in an emergency, any intrusions into institutional personal computers beyond normal authorized maintenance and security, requires the authorization of the Information Security Analyst (Security Officer), the Director of Human Resources, or a Cabinet member. All such non-emergency access to a machine used by a faculty member requires authorization by a Cabinet member.
Note: Users are responsible for maintaining proper back-ups of their data, including, but not limited to, data files, applications, license keys and documentation. Although a rare occurrence, University service personnel are not responsible for any loss of data that may occur as a result institutionally authorized activities.