Monitoring/Review of Employee Electronic Communications or Files:
Management Directive and Related Guidance from Vice President for Information Resources
version date: June 26, 2012
The University's Policy for Responsible Use of Information Resources (http://www.millersville.edu/pfru.php) contains the following statement: "Recent court decisions and amendments to Pennsylvania's Right-To-Know Law (65 P.S. §67.101 et seq.) establish, however, that University employees should not presume that they have privacy expectations with respect to information stored on or sent through University-owned information technology resources." The statement applies to all employees of Millersville University.
The University holds as core values the principles of academic freedom and free expression. In consideration of these principles, the Division of Information Resources will not monitor the content of electronic communications of its employees in most instances, nor will it examine the content of employee electronic communications or other employee electronic files stored on its systems except under certain circumstances. In this context, "electronic communications" includes telephone communications, so-called "phone mail," e-mail, and computer files traversing the University network or stored on University equipment.
Examples of when monitoring and/or review may occur include, but are not limited to, the following circumstances:
- communications or files targeted by jurisdictionally valid legal orders or requested in accord with the Pennsylvania's Right-To-Know Law (65 P.S. §67.101 et seq.).
- electronic communications or files that have been inadvertently exposed to technical staff who are operating in good faith to resolve technical problems. When technical staff inadvertently see or hear potentially illegal content in communications or files, they are required to report what they have seen or heard to the University Police and the Vice President for Information Resources. Otherwise, the University expects technical staff to treat inadvertently encountered electronic communications and files of University employees as confidential and not subject to disclosure to anyone.
- routine administrative functions, such as security tests of computing systems, including password testing by system administrators to identify guessable passwords, and investigations of attempted access into systems by unauthorized persons (system administrators and other technical staff will not access employees' electronic communications or files while performing these functions).
- situations such as:
- an investigation into allegations of violations of law or policy
- an urgent need for access to University business documents when an employee is unavailable
- Such situations will be specifically reviewed by and approved by the president or the vice president (or equivalent) responsible for the affected employee(s).
- for some units of the University, routine monitoring or examination of employee electronic communications or files as part of the work environment. Such routines must be approved by the relevant vice president (or equivalent), and affected employees must be informed in advance that such monitoring or examination will be taking place.
This directive does not mean that the University has lower expectations for its employees' behavior. It expects University employees to obey all applicable policies and laws in the use of computing and communications technologies.
This directive shall not be interpreted as requiring public disclosure of confidential and privileged attorney-client communications with the PASSHE Office of Legal Counsel (or other duly appointed legal counsel for the University) seeking or providing legal guidance for or on behalf of Millersville University.
Interpreting the Directive
Authorization for non-law-enforcement University personnel to monitor or review electronic communications or files of employees, including faculty and staff, will not be granted casually. Such authorization will require justification based on business needs or on sufficient cause from reasonably substantiated allegations of violation of law or policy on the part of the faculty or staff member. Authorization may be granted by the University president or a vice president (or equivalent) responsible for the affected employee.
Investigations of Violations of Law or Policy
Requests for authorization to monitor or review electronic communications or files because of allegations of violations of policy or law by faculty or staff members usually originate with supervisors (see related policy on Release of Information Technology Usage Information). They may also originate with an investigatory authority such as the Assistant to the President for Social Equity and Diversity (looking into a sexual harassment claim, for example). A vice president who is asked to consider authorization for monitoring or reviewing the electronic communications or files of an employee must use his or her judgment in determining if there is sufficient reason to grant such authorization. In these situations, the University expects the vice president to maintain confidentiality and to consult with the PASSHE Office of Legal Counsel in determining whether to authorize monitoring or review and in determining if the affected employee or anyone else should be notified that the monitoring or review is taking place.
Examples of business needs include but are not limited to:
- the need to have access to the e-mail of an employee who is unexpectedly unavailable and who is conducting time-sensitive negotiations with an outside entity -- negotiations of sufficient importance to justify review of the employee's electronic communications and files when that employee is unable to give consent for that review
- an urgent and sufficiently serious issue of health or safety.
Often it will be desirable for the University to exercise diligence in enlisting the help of the employee to extract the business materials and in considering other steps to respect the personal nature of any other materials present if that help is unavailable. Such steps may include the use of an independent confidential reviewer -- a person on the University staff who does not have supervisory or management responsibilities for the employee whose materials are being reviewed -- to extract the business materials
Circumstances Not Requiring Authorization
Most security tests of computing systems do not constitute monitoring or review of employee electronic communications or files. Consequently, presidential or vice-presidential authorization is not required for appropriate University staff to conduct such security testing, including testing done by system administrators to determine the strength of protection afforded by the passwords its employees select. In no case, of course, should employees reveal their passwords to anyone, including their system administrators. This testing is aimed at revealing weak or "guessable" passwords, and the appropriate action in responding to identification of a weak password is for the employee to change it immediately.
Similarly, presidential or vice-presidential authorization is not required for appropriate University staff to review attempted access of its systems by persons (employees or others) not authorized to use them.