Privacy of Electronic Information and Information Technology Resources Frequently Asked Questions
Section 1 Q&A
Q: What is acceptable as written authorization? Is email ok?
A: The exact authorization requirements vary slightly for the different circumstances described in sections 1(a) through 1(g); however, the following should provide general clarity:
- (Preferred) Authorization may be provided via an S/MIME signed email directly from the authorizing official’s IU email account; or
- Authorization may be provided via an un-signed email (or FAX) if it includes the following:
- a scanned image of the authorization letter with the authorizer’s signature; and
- For 1(b) – 1(g): the letter must be on official IU letterhead from an IU email account.
You should retain the original copy of the authorization letter for your records.
Q: Is my departmental need serious enough to be considered a “critical operational necessity.”
A: A goal of Policy IT-07 is to balance the privacy of users with the need to access information in certain circumstances when it is appropriate to serve or protect other core values and operations of the university.
Therefore, access to information under provision 1(c) of Policy IT-07 should not be for mere convenience, but limited to situations where it is truly needed. It should also be indispensable or vital to the operation of the unit. Questions to ask: Will lack of access cause an operational crisis? Is access absolutely and unavoidably required by the unit?
In any case, this decision rests with the senior executive officer of the unit given the definition of “critical operational necessity” in the policy and the additional guidance provided in this FAQ.
Also, situations where this need arises should spur units to changes procedures so similar situations are not encountered in the future. For example, creating a departmental mailbox to which people are granted access as needed, or requiring the storage of departmental information in a shared area on the server address many situations.
Section 2 Q&A
Q: when the policy says that "reasonable efforts" shall be made to notify the individual of access, what does that mean?
A: Typically, this means the person accessing the data or requesting access to the data attempts to contact the individual via email and phone, or in the case of someone no longer associated with the university, the last known mailing address.
Section 3 Q&A
Q: How can “preserved materials that are no longer needed” be destroyed in a secure manner?
A: Material on paper or other physical media should be physically destroyed by shredding. Magnetic media may be wiped and reused. Read about secure data removal.
Section 5 Q&A
Q: What should I do if I receive a subpoena, warrant, court order, or other legal request demanding access to information technology recourses or electronic information?
A: Immediately contact the Office of the Vice President and General Counsel.
Q: How do I go about requesting access to specific information technology resources or electronic information assigned to or associated with another individual?
A: For resources maintained by University Information Technology Services (UITS): send your request to firstname.lastname@example.org.
A: For resources that are not maintained by UITS, direct your request to the technology director of the unit managing those resources.
Related Policies, Laws, and Documents
- Office of the Vice President for Information Technology
- University Information Policy Office | email@example.com
- Revised July 30, 2018
- Posted March 2, 2009
- Revised Fall, 2008
- Drafted December 7, 2007