Acceptable Use of IT Resources and Information Assets Procedures
These procedures support the policy on Acceptable Use of IT Resources and Information Assets VII.A.4 effective October 16, 2017.
Purdue University seeks to maintain its IT environment and manage its Information Assets and IT Resources in a manner that respects individual privacy and promotes user trust. However, the use of the University’s IT Resources is not completely private, and users should have no expectation of privacy in the use of IT Resources.
While the University does not routinely monitor the content of communications or transmissions using IT Resources, except for monitoring of activity and accounts of individual users of IT Resources when the user has voluntarily made them accessible to the public or where the University has reserved the right to do so by policy, any access to the contents of communications or electronically stored communications and information employing IT Resources must be authorized.
Technicians and administrators will obtain written requests and authorization for disclosure or access per the policy and these procedures before accessing or permitting access to an individual’s electronic information. Some types of data sets may require additional coordination with Purdue compliance officers, Data Stewards, or University legal counsel. Technicians and administrators, including third parties providing services (PaaS, SaaS, IaaS) to the University, will protect information according to Data Classification and Handling guidelines when fulfilling requests for disclosure or access. Original data should be protected from alteration by providing either a copy of the requested data or securing a backup of the information.
Technicians and administrators receiving requests from law enforcement or other outside agencies seeking access to computer accounts, files, or network traffic of an IT Resource User shall forward such requests to the appropriate and responsible Purdue department which may include, but not be limited to, the Purdue Police Department, Office of Legal Counsel, Human Resources, University Privacy Officer, Office of the Dean of Students, Office of the Vice President of Information Technology.
Any request for disclosure or access of information from University IT Resources per the policy on Acceptable Use of IT Resources and Information Assets (VII.A.4) must include the following information and submitted to email@example.com:
- Requestor name and department
- Authorized by (see Authorizers below)
- Receiving party (receiving a copy of the information or access to the information)
- Required by date
- Reason for requested disclosure or access
- Specific information required and data classification per Data Classification guidelines
- Required method or format of disclosure or access (e.g., hardcopy/electronic copy of information, or if required, access to IT Resource and level of access rights required)
- Source and destination for information (e.g., server file path, application, database, local computer)
Authorizers: Only the minimum access required in order to protect the University’s interests must be granted and be authorized as follows:
- A dean, in the case of an academic unit, a vice president in the case of an administrative unit, and/or a chancellor in the case of a regional campus, their designee(s), or University legal counsel shall have made a written finding prior to such access that the access is reasonably required in order to protect the University's Interests and shall have forwarded such written finding to the Office of the Vice President for Information Technology. Note: Any delegation to a designee as noted, shall be made in writing and shall be furnished to the Office of the Vice President for Information Technology upon request.
- The official designee of the Office of the Vice President for Information Technology, such as the department head for each ITaP unit, shall have made a written finding prior to such access that: (a) the access is reasonably required in order to protect the University's Interests, and (b) authorizes the requested access and specifies the scope and conditions of any permitted access. These written findings shall be maintained by the Office of the Vice President for Information Technology.
- Notwithstanding the foregoing, the Vice President for Information Technology, or his or her designee, may authorize access in the event that he or she reasonably determines that: (a) there exists an emergency that materially threatens the University's Interests, (b) that emergency access is reasonably required in order to protect the University's Interests, and (c) he or she specifies the scope and conditions of any permitted access. The OVPIT shall, as soon as reasonably possible after such emergency, make a written finding verifying the existence and satisfaction of the foregoing conditions.
III. Related References
IV. History and Updates
October 16, 2017-These procedures were separated from the policies for Privacy for Electronic Information (VII.B.2) and IT Resource Acceptable Use (VII.A.2) which are superseded by the policy for Acceptable Use of IT Resources and Information Assets (VII.A.4) issued October 16, 2017. Questions about this procedure can be addressed to firstname.lastname@example.org.