1. Statement of Purpose
As reflected in Rights, Rules, Responsibilities 1.4.9 and 1.5.2, the University offers electronic services and the use of its electronic equipment and systems, including but not limited to servers, computers, mobile devices, telephone systems, and cloud-hosted storage (collectively, “IT Systems”), to students, faculty and staff for educational, research and administrative purposes in furtherance of its mission.
The University has the legal right to access, preserve, and review all information stored on or transmitted through its IT Systems. The University endeavors to afford reasonable privacy for Users (as defined in Section 2.0 below), and does not access information created and/or stored by Users on its IT Systems except when it determines that it has a legitimate operational need to do so. Examples of legitimate operational needs include, but are not limited to, the “reasons for access” articulated in Section 3.0 below.
If the University determines, in its sole judgment, that it requires access to the account, device, or information of an individual user without prior notice to the user, the University may access the account, device, or information as provided in this Access to Accounts and Information Policy (this “Policy”), and document the transaction for compliance purposes.
2. Who Is Affected by This Policy
This Policy applies to all University students, faculty and staff. It also applies to all other individuals and entities granted use of the University’s IT Systems, including, but not limited to, contractors, temporary employees, and volunteers (collectively, “Users”).
3. Reasons for Access
The University may access User accounts and information when, in the University’s sole judgment, doing so is reasonably necessary to achieve a legitimate operational need. Examples of such needs include, but are not limited to: (a) evaluating or responding to health or safety risks; (b) ensuring continuity of operations during the unavailability of a User unexpectedly or for a prolonged period, or after the departure or death of a User; (c) when necessary to identify, diagnose or correct IT Systems security vulnerabilities and problems, or otherwise preserve the integrity of the University’s networks and IT Systems; (d) investigating a possible violation of law or University policy; (e) complying with federal, state, or local law or rules; and (f) complying with validly issued subpoenas, governmental information requests, warrants, court orders, and discovery obligations in a pending or reasonably anticipated legal proceeding. In securing such access, University officials will follow the request and approval procedures described in Section 4.0.
4. Procedures for Access
The following procedure will be implemented when the University needs to access, preserve or review a User’s electronic account or information:
4.1 For business continuity needs
Whenever access to information or resources stored in an University IT System is temporarily unavailable due to the absence of a User, and immediate access is necessary to accomplish an institutional objective or program, an administrative leader for the affected department (department chair, director, or equivalent) or Office of Human Resources Manager submits an Access Request in the Princeton University Service Portal (SN@P) and includes the following information:
- the name of the account holder whose existing information is to be exported, accessed or shared;
- the reason why the access and data is needed; and
- A precise description of the information needed, including a date range.
OIT receives the request and confers with the requestor as needed. OIT will create a ticket request for documentation purposes. OIT staff will promptly and confidentially access the account or information to provide the department a copy of the requested information. Depending on the circumstances and when necessary for business continuity needs, OIT may provide access to an account (for example, if the requester requires access to an Outlook calendar) and/or arrange for the temporary forwarding of emails to another email account.
4.2 For requests other than business continuity needs
Requests should flow to OIT (via email at email@example.com) through an authorized university official, as follows:
- For faculty, an email is sent to the Dean of the Faculty or designee for review and approval, who then provides the official request to OIT.
- For staff, an email is sent to the Vice President of Human Resources or designee for review and approval, who then provides the official request to OIT.
- For Undergraduate students, an email is sent to the Vice President of Campus Life or designee for review and approval, who then provides the official request to OIT.
- For Graduate students, an email is sent to the Dean of the Graduate School or designee for review and approval, who then provides the official request to OIT.
- For legal issues, an email is sent to the General Counsel or designee for review and approval, who then provides the official request to OIT.
- For safety or security requests, an email is sent to the Executive Vice President or designee, who then provides the official request to OIT.
- For University employees assigned to the Princeton Plasma Physics Laboratory (PPPL), an email is sent to the Vice President for PPPL or designee for review and approval, who then provides the official request to OIT.
- Offices not enumerated above should make the request via e-mail to the cabinet officer responsible for the requesting office, who will review the request and, if approved, transmit to OIT.
The Access to Accounts and Information Form (see Section 5.0) should be used to provide the official request to OIT. Before the requested information is provided pursuant to Paragraph 4.2, the Office of the General Counsel (“OGC”) must evaluate the request of the respective Dean or Vice President or their designee and concur that it is consistent with applicable laws and University policies. Once the Chief Information Security Officer (“CISO”) has received the approved request and verified authorization from the appropriate authorized university official and OGC, and the CISO will work with the appropriate technical personnel to implement the request.
The CISO will follow instructions from the appropriate authorized university official and OGC regarding the preservation and archiving of requested data, and will document the request, disclosure details, the name and title of the requestor, and the reason for the request.
* No restricted or confidential information is ever to be documented in the ServiceNow ticketing system. Requests must be reviewed and, if necessary, modified to ensure confidentiality.
4.3 Requesting “Out of Office” Messages for an Unavailable Employee
When an employee is unexpectedly unavailable to receive and respond to email, and legitimate operational needs require continuity of communication, an administrative leader from the employee’s department (department chair, director, or equivalent) or Office of Human Resources Manager has the authority to request OIT to enable an "Out of Office" message from the employee's email account by submitting an “Out of Office” request in the Princeton University Service Portal (SN@P).
OIT receives the request and confers with the requestor as needed. OIT will create a ticket request for documentation purposes. OIT staff will confidentially access the email account for the sole purpose of creating and enabling the “Out of Office” message. The technical staff notifies the CISO and the original requestor, schedules the removal of the “Out of Office” message per the agreed upon date, and then closes the ticket.
5. Related Princeton Policies, Procedures, Standards, and Templates
6. Review Period
At a minimum, the Policy on Access to Accounts and Information will be reviewed every 24 months.
In addition, an Annual Report of actions taken under this policy will be prepared by the Office of Information Technology, Information Security Office and provided to the University Executive Compliance Committee.
Interim Policy Effective Date: June 2018
Policy Approved: July, 2018
Next Scheduled Review: July, 2020
Policy Title: Policy on Access to Accounts and Information
Responsible Executive: Vice President of Information Technology and CIO, Dean of the Faculty, Vice President for Human Resources and Vice President for Campus Life
Responsible Office: Office of Information Technology, Information Security Office, Office of the Dean of the Faculty, Office for Human Resources and Office of the Vice President for Campus Life
Contact: Chief Information Security Officer
Effective Date: First version: July 2018; Current major revision: July 2018
Last Update: July 2018