1. Statement of Purpose
As reflected in Rights, Rules, Responsibilities 1.4.9 and 1.5.2, the University offers electronic services and the use of its electronic equipment and systems, including but not limited to servers, computers, mobile devices, telephone systems, and cloud-hosted services and storage (collectively, “IT Systems”) to students, faculty and staff for educational, research and administrative purposes in furtherance of its mission.
The University has the legal right to access, preserve, and review all information created on, stored on, or transmitted through its IT Systems (collectively, “information”) and accounts and IT Systems where such information resides (collectively, “accounts”). The University endeavors to afford reasonable privacy for Users (as defined in Section 2 below), and does not access such information and accounts except when it determines that it has a legitimate operational need to do so. Examples of legitimate operational needs include, but are not limited to, the “reasons for access” articulated in Section 3 below.
If the University determines, in its sole judgment, that it requires access to the account or information of an individual user without prior notice to the user, the University may access the account or information as provided in this Access to Accounts and Information Policy (this “Policy”), and document the transaction for compliance purposes.
2. Who Is Affected by This Policy
This Policy applies to all University students, faculty and staff. It also applies to all other individuals and entities granted use of the University’s IT Systems, including, but not limited to, contractors, temporary employees, and volunteers (collectively, “Users”).
3. Reasons for Access
The University may access User accounts and information when, in the University’s sole judgment, doing so is reasonably necessary to achieve a legitimate operational need. Examples of such needs include, but are not limited to: (a) evaluating or responding to health or safety risks; (b) ensuring continuity of operations during the unavailability of a User unexpectedly or for a prolonged period, or after the departure or death of a User; (c) when necessary to identify, diagnose or correct IT Systems security vulnerabilities and problems, or otherwise preserve the integrity of the University’s networks and IT Systems; (d) investigating a possible violation of law or University policy; (e) complying with federal, state, or local law or rules; and (f) complying with validly issued subpoenas, governmental information requests, warrants, court orders, and discovery obligations in a pending or reasonably anticipated legal proceeding. In securing such access, University officials will follow the request and approval procedures described in Section 4.
4. Procedures for Access
The following procedure will be implemented when the University needs to access, preserve or review a User’s account or information:
4.1 For requesting “Out of Office” messages for an unavailable employee
When an employee is unexpectedly unavailable to receive and respond to email, and legitimate operational needs require continuity of communication, an administrative leader from the employee’s department (department chair, director, senior manager or equivalent) or an Office of Human Resources (“HR”) manager has the authority to request the Office of Information Technology (“OIT”) to enable an "Out of Office" message from the employee's email account by submitting an “Out of Office” request in the Princeton Service Portal.
The request is made via the “Request CISO Approval for Temporary University Account Access” form in the Princeton Service Portal. OIT receives the request and confers with the requestor as needed. OIT technical staff will confidentially access the email account for the sole purpose of creating and enabling the “Out of Office” message. Upon completion, the technical staff notifies the Chief Information Security Officer (“CISO”) and the original requestor by updating the Princeton Service Portal ticket, then closes the ticket.
4.2 For business continuity needs
Whenever access to information or resources stored in an IT System is temporarily unavailable due to the absence of a User, and immediate access is necessary to accomplish an institutional objective or program, an administrative leader from the affected department (department chair, director, senior manager or equivalent) or a HR manager has the authority to submit an access request. Care should be taken that only the minimal amount of information required is requested, and for the minimal amount of time necessary.
The request is made via the “Request CISO Approval for Temporary University Account Access” form in the Princeton Service Portal. OIT receives the request in the Princeton Service Portal and confers with the requestor as needed. OIT technical staff will confidentially access the account or information to provide the department a copy of the requested information. Depending on the circumstances and when necessary for business continuity needs, OIT may provide access to an account (for example, if the requester requires access to an Outlook calendar) and/or arrange for the temporary forwarding of emails to another email account. Upon completion, the technical staff notifies the CISO and the original requestor by updating the Princeton Service Portal ticket, then closes the ticket.
4.3 For active or imminent security threats to IT Systems
Upon identification of a security threat to IT Systems or information therein, OIT may access User accounts to address the security threat in order to preserve the integrity and availability of the University’s networks, IT Systems, and information therein.
4.4 For requests other than business continuity needs
For all other requests, including preservation requests, an authorized university official submits the request via the “Access to Accounts & Information Request Form” in the Princeton Service Portal. For University investigations, the authorized university official shall be the director of the Investigations Unit.
The authorized university official will identify the relevant individual who is to receive the request for review and approval as follows:
- For faculty, the Dean of the Faculty or designee
- For staff, the Vice President for Human Resources or designee
- For undergraduate students, the Vice President for Campus Life or designee
- For graduate students, the Dean of the Graduate School or designee
- For safety or security requests, the Executive Vice President or Assistant Vice President of Public Safety
- For University investigations, the cabinet officer responsible for the referring office or designee
- For University employees assigned to the Princeton Plasma Physics Laboratory (“PPPL”), the Vice President for PPPL or designee
- For offices not enumerated above, the cabinet officer responsible for the requesting office or designee
- If the request is approved, the request will be submitted to the Office of the General Counsel (“OGC”) to evaluate whether it is consistent with applicable laws and University policies.
If OGC concurs that the request is consistent with applicable laws and University policies, the request will be submitted to the CISO, who will work with the appropriate technical personnel to implement the request.
The CISO will follow instructions set forth in the approved request and any additional instructions from the related authorized university official and OGC regarding the preservation and archiving of requested data. The CISO will document the request, disclosure details, the name and title of the requestor, and the reason for the request.
* No restricted information is ever to be documented in the Princeton Service Portal. Requests must be reviewed and, if necessary, modified to ensure that no restricted information is submitted.
5. Related Princeton Policies, Procedures, Standards, and Templates
6. Review Period
At a minimum, the Policy on Access to Accounts and Information will be reviewed every 24 months.
In addition, an Annual Report of actions taken under this policy will be prepared by the Office of Information Technology, Information Security Office and provided to the University Executive Compliance Committee.
Interim Policy Effective Date: June 2018
Policy Approved: July 2018
Last Reviewed: February 2023
Next Scheduled Review: February 2025
Policy Title: Policy on Access to Accounts and Information
Responsible Executive: Vice President of Information Technology and CIO, Dean of the Faculty, Vice President for Human Resources and Vice President for Campus Life
Responsible Office: Office of Information Technology, Information Security Office, Office of the Dean of the Faculty, Office for Human Resources and Office of the Vice President for Campus Life
Contact: Chief Information Security Officer
Effective Date: First version: July 2018; Current major revision: February 2023
Last Update: February 2023