IT Investigations and Data Access Policy

Policy

1. Policy

1.1 The University will not routinely monitor user activity or user data on its IT facilities but will collect data to support investigations when required.

1.2 The University will only carry out an investigation (IT Investigation) or provide access to data held in a user account (Data Access) if there is a legitimate reason for doing so and if the investigation can be shown to be justifiable, fair, proportionate and comply with UK legislation.

1.3 The University will follow a standard procedure for considering requests for IT Investigations and Data Access but each case will be considered individually with respect for the interests of all parties.

1.4 Data Access will only be considered in cases where the consent of the account holder cannot or should not be obtained and where it is not possible to obtain the same information via another route.

1.5 IT Investigations and Data Access may only be undertaken by specific members of staff as part of their normal duties and with management approval. Unapproved IT Investigation or Data Access is a breach of University regulations and may also be illegal; such activities may therefore lead to disciplinary or legal action.

1.6 Staff who are involved in IT Investigations and Data Access must follow the 'Method Statement - IT Investigations and Data Access'.

1.7 Where Data Access has taken place, the user whose data has been accessed would normally be informed their data has been accessed.

2. Requesting an IT investigation or Data Access

2.1 A request may only be made by a Head of Department, a member of staff with equivalent seniority, or a person nominated by the Head of Department, to ensure the request is bona fide and appropriate in the context. Requests which arise as part of Legal proceedings should be dealt with separately because they require approval from the Registrar - see section 4 below.

2.2 Requests from Heads of Department (or their nominees) must be prepared using the pro-forma in the 'Method Statement - IT Investigations and Data Access', to ensure required information is provided.

2.3 Requests involving central University facilities will be approved by the Directors of IT. Requests involving departmental facilities will be approved by the relevant Head of Department. Requests can be approved by more senior members of the University management team if the usual approver is absent.

2.4 A Head of Department cannot make and approve the same request. In these cases the request should be approved by a more senior member of the University management team.

2.5 The approver must specify and record the names of those staff who will be involved. Other staff must not be involved if they have not been authorised to be involved in the request. A minimum number of staff must be involved.

2.6 Information collected or processed must be kept confidential and must only be shared as required for the purposes of the investigation.

2.7 Staff who carry out the request must keep written records (to provide an audit trail) of the request, the authorisation, and a description of the information provided or disclosed. These must be kept in a secure location controlled by the Head of Department. The records must not be accessed without the Head of Department's permission.

2.8 Written records must only be retained for the period deemed necessary for the specific purpose for which they were collected.

3. Investigation of a report of misuse of IT facilities

3.1 If a report of misuse of IT facilities is received,the Deputy Registrar (or their nominee) should instigate an IT investigation (see section 2 above). Examples of misuse which may necessitate an investigation are:

• report of harassment
• allegation of use of university facilities to browse inappropriate materials on the web
• a staff performance issue where evidence of computer use is needed to prove or disprove the allegation

3.2 The investigation should seek to establish whether a prima facie case exists which might be a contravention of University rules, regulations, procedures, or the law. The auspices under which any investigation is made should be made explicit.

3.3 Investigation staff must follow the 'Method Statement - IT Investigations and Data Access' which provides detailed procedures for investigating and reporting alleged misuse of IT facilities.

3.4 If a case is established, further action will be taken forward by the department's senior management team in conjunction with University departments involved in disciplinary matters, eg Student and Academic Services (for students), HR Services (for staff).

4. Legal Requests

4.1 Ordinarily, staff members will be asked to assist the University with legal requests. Where this is not possible, eg because the staff member is on long-term leave, IT Services may access user accounts in order to comply with Freedom of Information enquiries or Data Protection requests. Such requests should be referred to the Chief Operating Officer or University Secretary for initial approval.

4.2 Accounts may also be accessed by IT Services without employee knowledge where required. Such requests will be referred to the Chief Operating Officer or University Secretary for initial approval.

4.3 If the request requires investigation of the use of centrally provided IT services, the Director of Infrastructure (or their nominee) will define and approve the actions to be taken. If the request requires investigation of the use of departmentally provided IT services, the relevant Head of Department (or their nominee) will define and approve the actions to be taken. As with internally instigated investigations, only authorised staff may carry out the work and full records must be kept.

4.4 If University disciplinary action or criminal prosecution arises from investigations, IT Services and/or the Department will provide relevant evidence for the disciplinary or prosecuting authorities as required. The evidence will be collected and presented to conform to the relevant rules of evidence and expert guidance will be sought before proceeding.

Scope

5. Scope

5.1 This policy applies to data held in any University IT service whether it is provided directly by a University department or is managed by a third party on behalf of the University. University data held on third party systems that are not provided as a University IT service, for example Dropbox, are excluded from this policy.

5.2 This policy supplements University Regulation 11 "Using University Information" and University policy on Records Management and Data Protection.

Oversight

6. Oversight

6.1 The Information Security Board, chaired by the Director of IT Services, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

7. Responsibilities

7.1 DTEF’s staff who can authorise IT Investigations and Data Access requests are:

• Director of DTEF
• IT Director
• An Assistant Director of IT (Infrastructure, Digital or Customer Engagement)
• Head of Cyber Security

7.2 All information users are responsible for protecting and ensuring the security of the information to which they have access.

7.3 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

7.4 Staff, students, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

7.5 Any breach of information security or violation of this policy must be reported to the Deputy Registrar who will take appropriate action and inform the relevant authorities.

Implementation

8. Policy implementation documents

8.1 This document, together with related information security policies and implementation documents is available at: http://www.york.ac.uk/.

8.2 Method Statement - IT Investigations and Data Access

Appendices

Appendix A - Definitions

IT Investigation

An IT investigation examines data held on University IT equipment eg log files, filestore, email contents.

Examples of circumstances in which an IT investigation may be authorised are:

• to investigate alleged misuse eg activities that are in breach of University policy or are illegal
• to comply with legislation eg subject access request
• to identify, investigate or monitor an operational problem
• to investigate suspected unauthorised access to or use of systems
• to provide access to a user's account as part of other formal processes within the University eg disciplinary investigations

Data Access

This is the term used to describe the method by which data held in a user account is accessed and examined on behalf of the University by someone other than the user themselves. In these cases no wrong-doing is suspected, but there may be work related data, or personal data, held in the user account which cannot be accessed or obtained via any other method. Examples of circumstances in which Data Access may be used are:

• to provide access to work related data when someone is on long term sick leave
• to provide access to work related or personal data when the account holder has passed away
• to provide urgent access to work related data when some is taking annual leave.

Document history

Document history

Review

Review cycle: Three yearly

Date of next review: July 2022