IT Policy
Effective Date
10/27/2013
Chapter Name
7.0 – Privacy
Chapter Number
7.3
Date of Last Revision
1/10/2014
Title
Privacy and Monitoring of Electronically-Stored Records
1.0 Purpose
Eastern Michigan University (EMU) respects the privacy of its employees and seeks to foster a climate free from
arbitrary or capricious monitoring of employees and the records they create, use, or control.
Nonetheless, the university must, at times, access or monitor records or record systems that are under the control of
its employees. Also, since the university permits some latitude for employees to use university resources to conduct
personal matters at their work sites, work-related records and employee personal records may be located in the same
place.
This policy outlines the conditions under which Division of IT employees may access and monitor electronically
stored records on university-owned computer systems.
2.0 Scope
The policy shall apply to all Eastern Michigan University Division of Information Technology (DoIT) employees
who have or request the authority to electronically access electronically-stored records of university faculty, staff, or
students.
3.0 Policy
Other than as authorized under the regulations of this policy, no IT employee will access records or monitor the
content of record systems located on university-controlled premises or university property, which includes but is not
limited to university computers, networks, offices, and telephones.
University Obligations
A. For all records or record systems
IT employees may access or monitor all records or record systems only in strict compliance with the
circumstances specifically outlined in the University’s “Acceptable Use of IT” policy (section C.2.a).
B. For specific record types
1.
Business Records. IT employees may access business records or monitor the business record content of
record systems when the university has a legitimate business need for the information contained within the
record, and the employee who controls the business records or access to the business records (e.g.
password, assigned office holder, etc.) is unavailable or unwilling to grant access.
2.
Faculty-Owned Scholarly or Personal Records. IT employees will not access or monitor the content of
faculty-owned scholarly or personal records except in the specific instances listed above in Section A.
C. Preserving and Protecting Records
In circumstances where the University determines that there may be a specific risk to the integrity or security of
records, the University may take measures to protect or preserve those records. For instance, the University may
take a “snapshot” of a computing account to preserve its status on a given date, copy the contents of a file
folder, or restrict access to a record system.
IT Policy 7.3
Page 1 of 3
Employee Obligations
A. Work-Related Records. Employees are responsible for organizing their work-related records so that they are
accessible to those with a legitimate business need to know or access the information contained in them.
B. Faculty-owned Scholarly or Personal Records. While the University cannot provide an absolute guarantee as to
the privacy of faculty-owned scholarly or personal records, employees should take reasonable measures to
safeguard against inappropriate or inadvertent access to their records. EMU IT Procedure 7.3.P.2, “Personal and
Private Folder”, specifies how employees should store and retain such files on university-owned computer
systems.
4.0 Responsibility for Implementation
The University’s Chief Information Officer is responsible for the implementation of this policy.
5.0 Enforcement
Any employee found to violate federal or State of Michigan laws, EMU policies, procedures or standards of
conduct, will be subject to disciplinary action under University policy. Suspected violations will be reported to the
University’s Office of Human Resources.
Any student found to violate federal or State of Michigan laws, EMU policies, procedures or standards of conduct,
will be subject to disciplinary action under EMU’s Student Code of Conduct. Suspected violations will be reported
to the University’s Office of Student Conduct and Community Standards.
Any suspected violation of state or federal laws will be reported to the appropriate legal authority for investigation.
The University reserves the right to protect its electronic resources from threats of immediate harm. This may
include activities such as disconnecting an offending computer system from the campus network, terminating a
running job on a computer system, or taking other action.
6.0 Definitions
Term
Records
Record Systems
Business Records
Faculty-Owned Scholarly
Records
Personal Records
Legitimate Business Need
IT Policy 7.3
Definition
A record is any document, file, computer program, database, image, recording, or other
means of retaining fixed information that is created, received, used, or maintained within the
scope of business conduct or employment at the university business or that resides on
university-controlled premises or property.
Record systems are ways of storing, disseminating, or organizing records. They include
university property controlled by the university such as computers, computing networks,
telephones lines, voice mail, fax machines, and filing cabinets.
A business record is any record created, received, used, or maintained by an employee in the
normal course of his or her professional responsibility or work for the university, excluding
scholarly records. Examples of business records include budget reports, purchase orders,
work orders, correspondence or memoranda related to university business, student grades,
meeting minutes and committee reports.
Faculty-Owned Scholarly records are works that are created at the faculty member's own
initiative with university resources in the role of scholar, researcher, or teacher. They
include handouts, reading lists, research plans, notes, charts, articles, presentations, books,
films, music, and works of art. They do not include grades or records created as a result of a
faculty member’s administrative appointment or committee work. EMU faculty (including
full-time, part-time, adjunct, and emeritus faculty) own and control instructional materials
and scholarly works created at their own initiative with usual University resources.
A personal record is a record that is created, received, used, or maintained by an employee
for a purpose not related in any way to his or her work for the university.
A legitimate business need is any reason necessary to conduct the normal business of the
university. A legitimate business need can be held only by a person who, based strictly on
his or her job responsibilities, has a specific need to know the information accessed or
monitored. The normal business of the university includes preparing departmental budgets,
ordering equipment or supplies, computer support services, strategic planning activity,
Page 2 of 3
6.0 Definitions
Term
Definition
planning and construction of capital projects, preparation of work schedules, duties related
to university committees, or financial audits. Legitimate business need does not include
access or monitoring the content of records or record systems in order to determine whether
a faculty or staff member is spending an excessive amount of work time on personal
activities.
7.0 Revision History
Description
Corrected reference to EMU Acceptable Use Policy
Revised to specify limitation on monitoring faculty-owned records
Initial policy
IT Policy 7.3
Approval Date
January 10, 2014
December 6, 2013
October 27, 2013
Page 3 of 3