Information Technology Standard 02.13.0

Electronically Stored Information Release Standard


Date of Current Revision or Creation: September 2024


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations.Ìý Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

Establish guidelines for accessing and releasing electronically stored information (ESI) within the University. Ensuring that access to ESI, beyond regular business operations, is conducted with proper approvals and adherence to confidentiality requirements. The standard is designed to protect the privacy of individuals' electronic communications and files, while providing a clear framework for managing requests related to business continuity, investigations, or other organizational needs.

Definitions

Electronically Stored Information (ESI) - Data or information that is created, stored, and managed in digital or electronic form within Â鶹´«Ã½'s electronic systems.

Non-Content Information - Information that does not include the actual content of communications, such as authentication logs or user account settings.

Standards Statement

In certain circumstances, such as investigations or business continuity needs, access to electronic communications and files stored on University systems may be required. This access extends beyond routine University business activities or publicly available information and is only permitted with proper authorization. Such access to electronically stored information (ESI) must be approved by designated Â鶹´«Ã½ officials and comply with all relevant University policies and standards.

Requests to monitor or review electronic communications or files will only be approved when supported by valid justification, which must be based on specific business needs, legal obligations, or credible evidence of policy or legal violations involving the individual whose ESI will be reviewed or monitored. Typically, these authorization requests are initiated by supervisors, HR staff, legal counsel, or the registrar, and may also come from investigative bodies within the University, such as the audit department, Police Department, or Office of Institutional Equity and Diversity.

User ESI Authorization

Authorization to access a user’s ESI requires signed approval from the University President’s Office, the Office of University Counsel, and the Vice President of Digital Transformation and Technology. Direct supervisors cannot authorize or accept access to an employee’s account or credentials without the necessary approvals from these officials.

Non-Content Information Authorization

For non-content information requests, signed authorization is required from the vice president of Digital Transformation and Technology, the vice president, department head, or Budget Unit Director responsible for the affected individual, and the Chief Information Security Officer.

Before authorizing access to ESI or non-content information, the vice president, CISO, department head, or designee must carefully evaluate the justification to ensure there is a legitimate need for access. Confidentiality must be maintained, and consulting with legal counsel may be appropriate to determine whether to grant access and whether the affected individual or other parties should be informed.

Related Information

History

Date Responsible Party Action
September 2024 Technology Policy Office Created
Ìý