Method Statement - IT Investigations and Data Access

1. Introduction

1.1 The power to conduct investigations into the activities of members of the University on its IT Systems is a serious responsibility and must be used with care. This document sets out the way the University requires such investigations to be conducted.

1.2 This document applies to those members of staff who have been granted powers under the “IT Investigations and Data Access” policy to conduct investigations and provide access to data.

2. Authorisation

2.1 All investigations and requests for access to data must be authorised in accordance with the policy “IT Investigations and Data Access”.

2.2 A proforma for requests is available in Appendix 1 in this Method Statement.

3. Key stages

3.1 The key stages that should be followed when conducting an IT Investigation are as follows:

StageResponsibility
Gain approval for the investigation Person requesting the investigation [Requester]
Seek advice from the Director of Infrastruture  Requester and/or person(s) authorised to conduct the investigation [Investigator]
Establish the standard of evidence that is required, based on an assessment of likelihood of legal action arising from the investigation Requester and Investigator(s)
Establish relevant grounds on, or legal frameworks/parameters in which data are to be accessed or disclosed Investigator
Plan the investigation, including which data or systems are to be accessed Investigator
Conduct the investigation and record actions Investigator
Report on the investigation to the person who requested it Investigator and Requester
Ensure actions arising from the report are assigned to the appropriate person for action Requester and Investigator
Decide which data from the investigation is to be retained (if any) and retain in accordance with the ‘IT investigations and Data Access Policy’ Requester and Investigator
Close the investigation Requester

3.2 The key stages that should be followed when providing access to data are as follows:

StageResponsibility
Gain approval for the data access request Person requesting the investigation [Requester]
Plan how access will be provided, including which data or systems are to be accessed Investigator
Provide or obtain data access and record actions Investigator
Report on the request to the person who requested it Investigator and Requester
Decide which data from the request is to be retained (if any) and retain in accordance with the ‘IT investigations and Data Access Policy’ Requester and Investigator
Close the request Requester

4. Standards of Evidence

4.1 Members of the University are not trained to capture computer forensic evidence to the standards necessary for a trial. If after an assessment carried out under 3 above the requester and investigator believe that an investigation might lead to legal proceedings, the investigator must not carry out any work without taking specialist advice on how any internal investigation might prejudice a future possible trial.

5. Access to Data

5.1 Investigators must ensure that University and personal data is not exposed beyond the extent that is necessary for the conduct of the investigation.

5.2 Data in a user’s account might include personal data unconnected to the user’s relationship with the University. Particular care should be taken with such data.

5.3 A user’s password should never be given out to another member of the University. Data access should be provided in other ways such as providing a copy of the data or delegated access.

5.4 Investigators should only pass on the minimum number of files/emails required and not hand over the entire contents of an account.

5.5 Actions should be taken to reduce the need for continuing access e.g. by adding a “vacation” message to an email account to alert senders of email that they should contact a different member of staff. This gives the sender the option to not send personal messages and so reduces the risk of a privacy breach.

5.6 Full records should be kept of any such access. Where an investigation is sensitive (e.g. as part of an existing disciplinary process) or illegal material may be involved (see below), the investigation team must be formed from a minimum of two people.

6. Follow-up action

6.1 Assessment of the degree of severity of a breach of Regulations is made on an individual basis. Some examples and their associated severity are given below in section 7.

6.2 Where disciplinary action is to be taken arising from the outcome of the investigation, the standard University disciplinary processes for staff and students should be invoked.

6.3 If the investigator, or the investigation requester, is unsure about the severity of the breach and the appropriate follow-up action to take, further guidance must be sought from the Deputy Registrar, Director of Infrastructure, HR Services or the Registrar’s Office.

6.4 If an investigation finds evidence of harassment the University Equality and Diversity Office must be informed before any follow-up action is taken.

7. Examples of Misuse

7.1 Student A finds their friend, student B, has left a PC logged on and sends some prank emails or Facebook updates to their mutual friends, posing as student B. As a one-off case, this would be regarded as a minor breach and dealt with, without invoking formal disciplinary processes, either by the Student’s department or by IT Services.

7.2 Student A shares her password with Student B, her boyfriend, whose account has been locked. As a one-off case this would be dealt with by the Information Directorate without invoking formal disciplinary processes.

7.3 A member of the University sends harassing, racist or otherwise offensive messages to either another member of the University or an external person. This is a more serious offence and must be reported to the Equality and Diversity Office at an early stage in the investigation who will then provide advice throughout the investigation and follow-up actions.

7.4 A member of the University gains unauthorised access to a restricted server and views confidential data. This is a very serious offence and must be reported to the Deputy Registrar and is likely to invoke a formal disciplinary procedure. Where personal data is exposed, the University’s Data Protection Officer must also be notified.

8. Records

8.1 Records must be kept of all investigations or data access carried out. The record must include:

  • The authorising authority, bearing the signature of the authorizer
  • The investigator(s) name(s) and all other people who have been involved
  • Dates and times of all work carried out
  • Summary details of all files, logs or other data viewed
  • A summary detailing all actions taken, or reasons why no further action was considered necessary.
  • What information has been shared about the outcome and to whom

8.2 The records of any investigation or data access must be retained in accordance with the University’s Records Management Policy.

8.3 Records of general misuse do not need to be passed on outside the department conducting the investigation. Any investigation into internal or external unauthorised access (or attempted access) to systems (“hacking”) must be reported to the Information Security Board (ISB).

9. Investigations of Extreme or Potentially Illegal Material

9.1 Any investigation into potential child pornography or extreme pornography (under the terms of the Criminal Justice and Immigration Act 2008) must be handled with extreme care.

9.2 Any such investigation must be notified to the Deputy Registrar as soon as illegal material is found, or if there is a reasonable suspicion that illegal material may be found. The Deputy Registrar will decide whether to involve law enforcement immediately, or to undertake preliminary or further investigations (e.g. to decide if an allegation is malicious or otherwise unfounded).

9.3 Such work might involve viewing illegal images - the Memorandum of Understanding between the Crown Prosecution Service (CPS) and the Association of Chief Police Officers (ACPO) [1] sets out the terms under which such investigations may be performed.

9.4 Any such investigation must be only carried out by suitably authorised investigators and be carried out by two people at all times.

9.5 A full record must be kept of all work done, times and dates at which it was done, files/URLs viewed and any other relevant information.

9.6 Where it may be necessary to visit a URL to decide if it is indeed illegal, such browsing should be done with image loading disabled.

9.7 The investigation must stop when the first piece of illegal content is found.

9.8 For the offence of the possession of “extreme pornography” it may be necessary to involve law enforcement to decide if such images are illegal. Such material must be reported to the Deputy Registrar who will inform the Registrar and Secretary.

9.9 If any material in this category is found, it is required that the incident be reported to the Police and it is a criminal offence not to do so. Such reports must be made via the Deputy Registrar, who will inform the Registrar and Secretary.

10. Oversight

10.1 The Information Security Board, chaired by the Deputy Registrar, will monitor the effectiveness of this method statement and carry out regular reviews.

Document history and status

27 November 2013 Approved by Information Policy Executive
02 December 2013 Approved by Information Security Board
29 January 2016 Reviewed and approved by Information Security Board
31 July 2019 Reviewed and approved by Information Security Board

Status

Review cycle: Three yearly

Date of next review: January 2022


[1] http://www.cps.gov.uk/publications/docs/mousexoffences.pdf