This policy explains the situations in which access to data and investigations can be carried out.
It applies to any member of the University who thinks they need access to data.
It applies to data held in any University IT service whether it is provided directly by a University department or is managed by a third party on behalf of the University. University data held on third party systems that are not provided as a University IT service, for example DropBox, are excluded.
1.1 The University will not routinely monitor user activity or user data on its IT facilities but will collect data to support investigations when required.
1.2 The University will only carry out an investigation (IT Investigation) or provide access to data held in a user account (Data Access) if there is a legitimate reason for doing so and if the investigation can be shown to be justifiable, fair, proportionate and comply with UK legislation.
1.3 The University will follow a standard procedure for considering requests for IT Investigations and Data Access but each case will be considered individually with respect for the interests of all parties.
1.4 Data Access will only be considered in cases where the consent of the account holder cannot or should not be obtained and where it is not possible to obtain the same information via another route.
1.5 IT Investigations and Data Access may only be undertaken by specific members of staff as part of their normal duties and with management approval. Unapproved IT Investigation or Data Access is a breach of University regulations and may also be illegal; such activities may therefore lead to disciplinary or legal action.
1.6 Staff who are involved in IT Investigations and Data Access must follow the 'Method Statement - IT Investigations and Data Access'.
1.7 Where Data Access has taken place, the user whose data has been accessed would normally be informed their data has been accessed.
2.1 A request may only be made by a Head of Department, a member of staff with equivalent seniority, or a person nominated by the Head of Department, to ensure the request is bona fide and appropriate in the context. Requests which arise as part of Legal proceedings should be dealt with separately because they require approval from the Registrar - see section 4 below.
2.2 Requests from Heads of Department (or their nominees) must be prepared using the pro-forma in the 'Method Statement - IT Investigations and Data Access', to ensure required information is provided.
2.3 Requests involving central University facilities will be approved by the Directors of IT. Requests involving departmental facilities will be approved by the relevant Head of Department. Requests can be approved by more senior members of the University management team if the usual approver is absent.
2.4 A Head of Department cannot make and approve the same request. In these cases the request should be approved by a more senior member of the University management team.
2.5 The approver must specify and record the names of those staff who will be involved. Other staff must not be involved if they have not been authorised to be involved in the request. A minimum number of staff must be involved.
2.6 Information collected or processed must be kept confidential and must only be shared as required for the purposes of the investigation.
2.7 Staff who carry out the request must keep written records (to provide an audit trail) of the request, the authorisation, and a description of the information provided or disclosed. These must be kept in a secure location controlled by the Head of Department. The records must not be accessed without the Head of Department's permission.
2.8 Written records must only be retained for the period deemed necessary for the specific purpose for which they were collected.
3.1 If a report of misuse of IT facilities is received,the Deputy Registrar (or their nominee) should instigate an IT investigation (see section 2 above). Examples of misuse which may necessitate an investigation are:
3.2 The investigation should seek to establish whether a prima facie case exists which might be a contravention of University rules, regulations, procedures, or the law. The auspices under which any investigation is made should be made explicit.
3.3 Investigation staff must follow the 'Method Statement - IT Investigations and Data Access' which provides detailed procedures for investigating and reporting alleged misuse of IT facilities.
3.4 If a case is established, further action will be taken forward by the department's senior management team in conjunction with University departments involved in disciplinary matters, eg Student and Academic Services (for students), HR Services (for staff).
4.1 Ordinarily, staff members will be asked to assist the University with legal requests. Where this is not possible, eg because the staff member is on long-term leave, IT Services may access user accounts in order to comply with Freedom of Information enquiries or Data Protection requests. Such requests should be referred to the Registrar and Secretary or their Deputy for initial approval.
4.2 Accounts may also be accessed by IT Services without employee knowledge where required. Such requests will be referred to the Registrar and Secretary or their Deputy for initial approval.
4.3 If the request requires investigation of the use of centrally provided IT services, the Director of Infrastructure (or their nominee) will define and approve the actions to be taken. If the request requires investigation of the use of departmentally provided IT services, the relevant Head of Department (or their nominee) will define and approve the actions to be taken. As with internally instigated investigations, only authorised staff may carry out the work and full records must be kept.
4.4 If University disciplinary action or criminal prosecution arises from investigations, IT Services and/or the Department will provide relevant evidence for the disciplinary or prosecuting authorities as required. The evidence will be collected and presented to conform to the relevant rules of evidence and expert guidance will be sought before proceeding.
5.1 This policy applies to data held in any University IT service whether it is provided directly by a University department or is managed by a third party on behalf of the University. University data held on third party systems that are not provided as a University IT service, for example DropBox, are excluded from this policy.
5.2 This policy supplements University Regulation 11 "Using University Information" and University policy on Records Management and Data Protection.
6.1 The Information Security Board, chaired by the Deputy Registrar, will monitor the effectiveness of this policy and carry out regular reviews.
7.1 Corporate and Information Services’ staff who can authorise IT Investigations and Data Access requests are:
7.2 All information users are responsible for protecting and ensuring the security of the information to which they have access.
7.3 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.
7.4 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.
7.5 Any breach of information security or violation of this policy must be reported to the Deputy Registrar who will take appropriate action and inform the relevant authorities.
8.1 This document, together with related information security policies and implementation documents is available at: http://www.york.ac.uk/.
An IT investigation examines data held on University IT equipment eg log files, filestore, e-mail contents.
Examples of circumstances in which an IT investigation may be authorised are:
This is the term used to describe the method by which data held in a user account is accessed and examined on behalf of the University by someone other than the user themselves. In these cases no wrong-doing is suspected, but there may be work related data, or personal data, held in the user account which cannot be accessed or obtained via any other method. Examples of circumstances in which Data Access may be used are:
|12 September 2012||Approved by Information Policy Executive|
|08 October 2012||Approved by Information Security Board|
|25 October 2013||Review by IPE following audit comments. Minor change to 1.1 incorporated, K Mills-Hicks|
|29 January 2016||Reviewed and approved by Information Security Board|
|31 July 2019||Reviewed and approved by Information Security Board|
Review cycle: Three yearly
Date of next review: July 2022