Electronic Data Access Policy
Purpose
To outline the processes associated with providing anyone at Wesleyan University access to another individual’s email or files stored on Wesleyan-provided systems.
Scope
This policy (effective date TBD) covers all requests for one Wesleyan employee to access another employee’s email or electronic files stored on Wesleyan-provided systems.
Policy
Requests to access files in Wesleyan-provided file shares (e.g. OneDrive, Sharepoint, Google Drive)
Supervisors or department chairs may request access to files stored in a current or former employee’s or current or former faculty member’s Wesleyan-provided file shares without obtaining any additional approvals. Files stored in Wesleyan-provided file shares are assumed to have been intentionally placed in those file shares to allow Wesleyan to conduct its business. Whenever access is provided in this manner, the Chief Information Security Officer will provide the access and send the Chief Information Officer a summary of the provided access. Any requests for a current Wesleyan employee’s data will be communicated to the employee as circumstances allow.
Approval of requests for access to email or files stored outside of Wesleyan-provided file shares
All requests to access email or files stored outside of Wesleyan-provided file shares, such as on a Wesleyan-provided workstation, require approval as outlined below. The individuals who must approve a request will vary based on the primary relationship of the individual whose email or files are being requested. Any requests for a current Wesleyan employee’s or student’s data will be communicated to the employee as circumstances allow.
|
Relationship |
Approvers |
|
Employee |
Chief Administrative Officer, the Chief Information Officer, and the Associate VP for Human Resources |
|
Faculty or Emeriti |
Chief Administrative Officer, the Chief Information Officer, and the Senior VP for Academic Affairs/Provost |
|
Student or Alumni |
Chief Administrative Officer, the Chief Information Officer, and the Vice President for Student Affairs |
|
None of the above |
Chief Administrative Officer, the Chief Information Officer, and the General Counsel |
Requests to comply with law enforcement inquiry or subpoena.
Any requests to comply with requests coming from law enforcement agencies require approval from the General Counsel who will inform the otherwise authorizing individuals shown above. The General Counsel will provide the Chief Information Security Officer with a list of search terms or criteria to identify relevant messages. Once that approval has been obtained, the Chief Information Security Officer will provide the email messages to the requesting law enforcement agency. The General Counsel will determine if any subject individuals at Wesleyan should be or must be notified of the request from a law enforcement agency.
Email accounts in the University archives
The University Archivist will maintain a list of university positions of archival interest. Whenever an individual holding one of those positions leaves the University, the University Archivist will contact the Chief Information Security Officer to arrange to receive a copy of the individual’s email. The Chief Information Security Officer will provide the email in an available format that best preserves any metadata associated with those messages. With respect to employee data, ITS will scrub any Personally Identifiable Information (PII) and requestors will be instructed to ignore any potentially surviving PII.
Requests to access data of deceased or incapacitated individuals.
A request to access electronic data of a deceased or incapacitated person must originate from a legally authorized individual (e.g., executor, holder of power of attorney) supported by a legal document demonstrating authorization. The legally authorized individual will provide the Chief Information Security Officer with a list of search terms or criteria to identify relevant messages. The Chief Information Security Officer will locate the relevant messages and redact or remove any content that is protected by laws such as the Family Educational Rights and Privacy Act (FERPA). The Chief Information Security Officer will provide the email messages to the legally authorized individual.
Exceptions
If the Chief Information Security Officer has reason to believe that there is an unacceptable life/safety risk to waiting for the relevant approvals, the Chief Information Security Officer can, with the concurrence of any other cabinet member, access the individual’s email prior to obtaining the relevant approvals. When this occurs, the Chief Information Security Officer will send an email to the Chief Information Officer to document that this was done.
Appendix
Email formats
For most requests, email messages will be provided as pdf files. For requests from law enforcement agencies, email messages will be provided as pdf files unless an alternate format is requested and can be produced without undue burden or cost. For requests from the University Archivist, the email messages will be provided as either pst files or mbox files, depending on whether the email archive resides in Exchange 365 (pst) or Google Mail (mbox).
File formats
Files will be provided in their native formats.
Revision History
Approved June 2024