There are several Computer related tasks that need to be completed when an Employee leaves the university or changes departments. Some of these tasks may need to happen immediately upon notice, some items need to occur before the individual leaves and other items occur on the last day. In the following sections we’ll provide guidance on how and when to take action on an Employee’s account, data and access.
Handling Employees’ Accounts, Data and Access in Special Situations
- Can I restrict my employees' personal use of their computers while at work?
IU policy allows employees some incidental personal use in the course of their work duties. However, that personal use must be appropriate; it must not violate the law, interfere with the employee's work responsibilities, or conflict with the university's mission of providing education through teaching, research, and public service. Additionally, employees may not use university resources for commercial or private gain, or for activities that are inconsistent with the university's tax-exempt status (such as political campaigning).
Supervisors are authorized to require employees to cease or limit any incidental personal use that interferes with job performance or violates university policy. If you feel that your employees may be neglecting work due to incidental personal use, you can address their behavior using progressive discipline, but be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office. Be careful to address the job duties being neglected, not the personal use.
If you are unsure of the relationship of the incidental personal use to the university's mission, you can contact the University Information Policy Office (UIPO) or your regional campus Chief Information Officer (CIO) to help you determine whether the use is appropriate.
Investigations of Misconduct
An employee's access to computers or accounts may be disabled or limited while an investigation is being conducted into alleged misconduct, even if the person is still employed by IU.
Reasons for restricting employees' use of computers or accounts while at work include, but aren't limited to, the following:
- Concern for safety of departmental or other systems and data
- Reasonable belief that the employee is involved in illegal activities
- Reasonable belief that the employee has violated university policy
If you feel that an active employee's use of computers or accounts needs to be disabled or restricted, be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office BEFORE taking any action.
To avoid the problem altogether, your department can publish a local policy that defines the acceptable level and nature of incidental personal use. When writing departmental policies, be careful to avoid targeting individuals.
This information is based on the university's IT policy IT-01 and IT policy IT-03.
For consultation in handling particular situations (preferably before taking action), contact your campus human resources office (contact information is available here, your campus employee relations office (812-856-5572 at IU Bloomington, 317-274-8931 at IUPUI), and/or the UIPO for all campuses.
- Can I access my employees' computer data, email, or voice mail?
In order to promote free discourse and maintain the environment appropriate to a learning institution, and because the university does allow incidental personal use, university policies protect the right to privacy of computer data whenever possible. There are however, times when a legitimate need arises for which you as a supervisor require access to an employee's computer data:
- If you need access to proceed with work and the employee is unavailable to access the data for you, obtain written (email or paper) permission from the employee granting access to the content.
- If the employee can't grant permission (e.g., has been terminated, is deceased or incapacitated), get written permission from your department's senior executive officer.
- If you think the employee is engaged in illegal activities using university accounts or resources, or if you believe the individual is violating university policy, get written authorization from the appropriate campus chancellor.
- In an emergency situation where you believe processes active in an employee's account or on an employee's device can or is causing system degradation or damage to other data, a technician or administrator can permit immediate access.
- If the employee is involved in fiscal misconduct, you will need a directive from the Director of Internal Audit.
- For other legal matters, you may need a court order or other legal documents and further direction from University Counsel.
Unless it's inappropriate or impossible, you should notify the employee before you access the data. Otherwise, you should notify the employee as soon as possible after the access.
Without specific authorization, you may use system-generated, content-neutral information (i.e., system logs, login records, connection logs, network activity logs, email logs, and auditing logs) to:
- Monitor system and storage usage
- Secure departmental systems
- Investigate technology abuse or misuse
- Support formal audits
When you contact a technician for access to an employee's data, that technician is required, where possible, to consult with the appropriate campus Chief Information Officer (CIO), who ensures that the appropriate authorization or permission has been granted. In doing so, the campus CIO is encouraged to consult with a university Information Technology Policy Officer, who can provide advice and policy interpretation to not only the CIOs, but also to you directly.
To ensure uninterrupted access to office communications, consider creating a departmental email account, which you can then publish as your contact point instead of publishing an individual's email account. Departmental account access can be assigned to different individuals depending on who is working at the time. Information about getting departmental accounts is available here.
To ensure uninterrupted access to shared data, you can name folders something generic, e.g., "Project X". Folders that are named with an employee's username or name are considered assigned to that user and require the authorization provisions above.
For access to email data that requires frequent sharing, consider using Folder Permissions or the Delegate feature in Microsoft Outlook. The owner of the account sets up the permissions or delegate access, thereby authorizing it. For instructions on how to do this within Outlook, see In Outlook for Windows, how do I allow other users to view my Calendar or other folders in my Exchange mailbox?
This information is based on the university's IT policy IT-07.
For consultation in handling particular situations (preferably before taking action), contact your campus human resources office (contact information is available at How do I contact the human resources office at each IU campus?), your campus employee relations office (812-856-5572 at IU Bloomington, 317-274-8931 at IUPUI), and/or the University Information Policy Office (UIPO) for all campuses.
For instructions for sharing folders, visit In Windows, how do I share a folder, drive, or printer on the network?
- What should I do if I have a suspected security breach?
You are legally required to report security breaches and notify the individuals involved, if the security breach disclosed or exposed a Social Security number (SSN), or any of the following in combination with a first name/initial and a last name:
- Credit card, debit card, or any other financial account numbers
- Access or security codes, or any passwords
- Driver’s license or state identification card numbers
You can find detailed steps for reporting a suspected breach on the UIPO security incident response pages. Notification to affected individuals usually comes from the unit associated with the breach, but be sure to coordinate with the IIA incident response team. They will make sure the appropriate forensic steps have taken place and appropriate notification procedure is followed.
The breach notification law is available here.
For information about protecting sensitive data and data protection laws, see the UIPO Data Protection pages.
Feel free to contact the UIPO if you would like more information.
- What should I do if I suspect an employee is misusing or abusing information or information technology at IU?
If you suspect that an employee may be misusing or abusing information or information technology at IU, first try to identify specifically what policy or law may have been violated. If you need assistance finding or interpreting applicable policies or laws, you can consult with any of the following:
- Your departmental, campus, or University Human Resources office (if the employee in question is a staff member)
- Your departmental, campus, or University Dean of Faculties Office (if the employee in question is a faculty member)
- The University Information Policy Office
- University Counsel (812-855-9739 for all campuses other than IUPUI; 317-274-7460 for IUPUI)
Once you have identified the applicable policy or law, you can address the behavior using progressive discipline, but be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office before taking any action.
If you need to gather technical evidence or need a technical investigation or forensics expert, please contact the UIPO Incident Response team. Usually, results from the technical investigation or forensics study will be provided to the central administrative office for the category of employee (UHRS Employee Relations for staff, and Dean of Faculties for faculty), rather than the supervisor. That administrative office will coordinate next steps.
If you wish to remain anonymous while reporting a suspected abuse or misuse of information or information technology, Indiana University has a Whistleblower policy which protects your identity.
To use IU's anonymous reporting hotline
Visit reportfraud.iu.edu or call 888-236-7542.