IT Investigations and Data Access Policy

Policy

1. Policy

1.1 The University will not routinely monitor user activity or user data on its IT facilities but will collect data to support investigations when required.

1.2 The University will only carry out an investigation (IT Investigation) or provide access to data held in a user account (Data Access) if there is a legitimate reason for doing so and if the investigation can be shown to be justifiable, fair, proportionate and comply with UK legislation.

1.3 The University will follow a standard procedure for considering requests for IT Investigations and Data Access but each case will be considered individually with respect for the interests of all parties.

1.4 Data Access will only be considered in cases where the consent of the account holder cannot or should not be obtained and where it is not possible to obtain the same information via another route.

1.5 IT Investigations and Data Access may only be undertaken by specific members of staff as part of their normal duties and with management approval. Unapproved IT Investigation or Data Access is a breach of University regulations and may also be illegal; such activities may therefore lead to disciplinary or legal action.

1.6 Staff who are involved in IT Investigations and Data Access must follow the 'Method Statement - IT Investigations and Data Access'.

1.7 Where Data Access has taken place, the user whose data has been accessed would normally be informed their data has been accessed.

2. Requesting an IT investigation or Data Access

2.1 A request may only be made by a Head of Department, a member of staff with equivalent seniority, or a person nominated by the Head of Department, to ensure the request is bona fide and appropriate in the context. Requests which arise as part of Legal proceedings should be dealt with separately because they require approval from the Registrar - see section 4 below.

2.2 Requests from Heads of Department (or their nominees) must be prepared using the pro-forma in the 'Method Statement - IT Investigations and Data Access', to ensure required information is provided.

2.3 Requests involving central University facilities will be approved by the Directors of IT. Requests involving departmental facilities will be approved by the relevant Head of Department. Requests can be approved by more senior members of the University management team if the usual approver is absent.

2.4 A Head of Department cannot make and approve the same request. In these cases the request should be approved by a more senior member of the University management team.

2.5 The approver must specify and record the names of those staff who will be involved. Other staff must not be involved if they have not been authorised to be involved in the request. A minimum number of staff must be involved.

2.6 Information collected or processed must be kept confidential and must only be shared as required for the purposes of the investigation.

2.7 Staff who carry out the request must keep written records (to provide an audit trail) of the request, the authorisation, and a description of the information provided or disclosed. These must be kept in a secure location controlled by the Head of Department. The records must not be accessed without the Head of Department's permission.

2.8 Written records must only be retained for the period deemed necessary for the specific purpose for which they were collected.

3. Investigation of a report of misuse of IT facilities

3.1 If a report of misuse of IT facilities is received,the Deputy Registrar (or their nominee) should instigate an IT investigation (see section 2 above). Examples of misuse which may necessitate an investigation are:

• report of harassment
• allegation of use of university facilities to browse inappropriate materials on the web
• a staff performance issue where evidence of computer use is needed to prove or disprove the allegation

3.2 The investigation should seek to establish whether a prima facie case exists which might be a contravention of University rules, regulations, procedures, or the law. The auspices under which any investigation is made should be made explicit.

3.3 Investigation staff must follow the 'Method Statement - IT Investigations and Data Access' which provides detailed procedures for investigating and reporting alleged misuse of IT facilities.

3.4 If a case is established, further action will be taken forward by the department's senior management team in conjunction with University departments involved in disciplinary matters, eg Student and Academic Services (for students), HR Services (for staff).

4. Legal Requests

4.1 Ordinarily, staff members will be asked to assist the University with legal requests. Where this is not possible, eg because the staff member is on long-term leave, IT Services may access user accounts in order to comply with Freedom of Information enquiries or Data Protection requests. Such requests should be referred to the Chief Operating Officer or University Secretary for initial approval.

4.2 Accounts may also be accessed by IT Services without employee knowledge where required. Such requests will be referred to the Chief Operating Officer or University Secretary for initial approval.

4.3 If the request requires investigation of the use of centrally provided IT services, the Director of Infrastructure (or their nominee) will define and approve the actions to be taken. If the request requires investigation of the use of departmentally provided IT services, the relevant Head of Department (or their nominee) will define and approve the actions to be taken. As with internally instigated investigations, only authorised staff may carry out the work and full records must be kept.

4.4 If University disciplinary action or criminal prosecution arises from investigations, IT Services and/or the Department will provide relevant evidence for the disciplinary or prosecuting authorities as required. The evidence will be collected and presented to conform to the relevant rules of evidence and expert guidance will be sought before proceeding.