VPOC approval received Monday December 8, 2014
Purpose/Reason for This Procedure:
Exceptional circumstances may make it necessary to access the contents of University resources that have been allocated to a specific employee or student ("Account Holder"). This Procedure establishes the authorization required for providing such access to other than the assigned user.
For the purposes of the procedure, IT resources include but are not limited to individual accounts for using the University's:
- Email and Calendar services,
- Telephone and Voicemail services,
- Storage and Backup services including OneDrive and Active Directory File share, and
- other account-based services such as ¾ÅÐãÖ±²¥ Portal and Proxy services.
IT resources associated with courses offered by the University are outside of the scope of this procedure.
In all cases access will be limited in scope and time only to that which is necessary for the stated situation.
Procedure Owner: ITS
Note: Unless otherwise stated, all University resources are provided to employees for University business and contain University records.
"...Records in the custody and control of the University are subject to the public right of access in the Freedom of Information and Protection of Privacy Act (FIPPA)."
EMAIL & FIPPA BEST PRACTICES (Office of the Access & Privacy Coordinator)
Under normal circumstances, the named/identified Account Holder has primary access to these University resources. The University reserves the right to access these resources under the following circumstances. The procedure will be based on authority and notification as indicated below.
A) Academic Staff Account Holders (includes Faculty, Adjuncts, Librarians, Archivists)
"Members have the right to privacy in their personal and professional communications and files, whether on paper or in electronic form, subject to the Freedom of Information and Protection of Privacy Act (FIPPA) and any other legal requirement. The Provost and Vice-Principal (Academic) may authorize access to a Member’s computing and network account(s) with the University only if there are reasonable grounds to believe that the Member may be threatening the security and integrity of the computing or network facilities, violating any software licensing agreement, or attempting to access another user’s account or data without that user’s permission". [QUFA Collective Agreement 2019-22]
The university is obliged to provide access for a search warrant authorized by a court.
B) Student Account Holders
Resources are private [1]. The University reserves the right to access under the following circumstances.
Situation |
Authority(s) |
Process/Procedure |
Notice to Account Holder |
---|---|---|---|
After death of the Account Holder |
Governed by the Student Death Protocol section of FIPPA |
N/A |
|
Where there are reasonable grounds to suspect Account Holder misconduct |
One of:
|
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
No |
Security or police request |
Director of Campus Security |
Authority contacts Information Security Officer |
Determined by Authority |
Search warrant |
Court |
Authority contacts Information Security Officer |
Determined by Authority |
Remedy an accidental breach of privacy and/or misdirected email |
Access & Privacy Coordinator |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
In writing from Authority |
[1] Students who are also employed by the University should not use their student account for employment-related purposes . In such cases, the student should be provided with an employee account.
C) Non-QUFA Employees and Other Account Holders
Resources are not private, but may be used for private purposes. The University reserves the right to access under the following circumstances.
Notes:
- For most situations involving employees, that individual's Unit Head is the primary authority. Alternates are for situations where Unit Head is absent.
- IT Admin Reps may employ the procedures indicated below on behalf of their Unit Head, but the Unit Head remains the Primary Authority.
Situation |
Authority(s) |
Process/Procedure |
Notice to Account Holder |
---|---|---|---|
Specific critical and/or time sensitive information required to conduct University business is needed from the account of an employee who is unreachable, or who refuses to provide access upon request |
Primary: Unit Head Alternates: Dean, AVP or higher |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
In writing from Authority |
Need to correct an erroneous "Out of Office" message created by an employee who is unreachable |
Primary: Unit Head Alternates: Dean, AVP or higher |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
In writing from Authority |
Account Holder's employment terminated |
Primary: Unit Head Alternates: HR Client Services Manager, Dean, AVP or higher |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
No |
After death of the Account Holder |
Primary: Unit Head Alternates: HR Client Services Manager, Dean, AVP or higher |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
N/A |
Where there are reasonable grounds to suspect employee misconduct |
Primary: AVP Human Resources Alternates: University Counsel |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
No |
Security or police request |
Authority: Director of Campus Security |
Authority contacts Information Security Officer |
Determined by Authority |
Search warrant |
Court |
Authority contacts Information Security Officer |
|
Remedy an accidental breach of privacy and/or misdirected email |
Primary: Access & Privacy Coordinator |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
In writing from Authority |
Respond to a freedom of information request under FIPPA or similar applicable legislation where access refused upon request |
Primary: Access & Privacy Coordinator |
Authority completes Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted. |
In writing from Authority |
Additional Context:
System administration and logs
System administrators and other employees responsible for troubleshooting or investigating system or security problems or complaints have access to resources, files and logs as necessary to fulfill their job duties. These employees are obligated to respect the privacy of all files and records.
Records of authorization
Records of authorization requests submitted through the online forms will be maintained by ITS and deleted after seven years. These records are classified as Confidential.
Unit Heads are advised to maintain their own records of Exceptional Access Authorization Requests.