Information Technology Services
Requesting Access to An Employee’s E-mail/Attachments or Computer Files: UCOP Procedure
The UC Electronic Communications Policy (ECP) establishes principles that protect the privacy of employees’ electronic communications, except in situations where legal requirements take precedence.
- Electronic Communications Files. Electronic communications primarily consist of e-mail and attachments. If access to those electronic communications is required, the appropriate consent procedures must be followed, as described below.
- Files Created on a Computer. When reviewing files created on an individual’s computer, consent to access generally is not required because those files do not meet the ECP definition of an “electronic communication record.” When reviewing such files, colleagues have an obligation to respect the privacy of personal communications and not review e-mail messages or attachments.
Any review, whether limited to computer files for which no consent is required or including e-mail and attachments pursuant to authorized access, should be limited to the minimum necessary review in order to resolve the situation.
Procedures for Requesting Access
Note: Requests for access should be made by a manager or, in cases in which an investigation will be conducted, the UCOP Director of Investigations in the Office of Ethics, Compliance and Audit Services. See section 3 below.
Who Have Separated or Died
When an individual is no longer employed at UCOP, and no longer has access to their e-mail account, the manager may ask the IT Service Desk for access to the individual’s e-mail account and computer files, without the consent of the former employee, and without requiring a formal request for nonconsensual access. Before access is requested, the manager should make sure that the separated employee’s password has been changed so that the former employee no longer has access to the e-mail account. If the account cannot be cancelled or the account password changed in a timely manner, the manager is required to follow the ECP procedures for obtaining nonconsensual access.
The IT Service Desk handles requests depending on the type of records sought. Records are grouped into two categories:
Administrative Records. Administrative records belong to the University. When an employee has separated from the University or died, University representatives (preferably the individual’s manager or department administrator) may be provided access to administrative records—whether e-mail or files.
- Employees on Leave
The manager should ask an employee going on leave (maternity, sick, extended vacation, etc.) in advance for permission to access the employee’s electronic communications during the leave period to ensure business continuity as necessary. This permission also can be requested while the employee is on leave. In both cases, the employee should be asked to complete the Consent Form found on the Web. If it is not possible to obtain consent, the manager is required to follow the ECP procedures for obtaining nonconsensual access.
- Situations Involving Criminal
Investigations or Sensitive Matters
When a current employee has not given or cannot give permission for access, or must not be alerted to the request for access, or when an investigation will be conducted involving a separated employee, the manager must contact the Director of Investigations, who will follow the ECP procedures for obtaining nonconsensual access . Note that the Regents Committee on Audit authorizes Internal Audit to have access to University information except where prohibited by law. (See ECP, Section IV, Privacy and Confidentiality.)
Intellectual Property. Intellectual property may belong to the individual. Generally that individual or, in the case of death, a legal beneficiary, may access these materials (this usually applies to cases involving faculty members). In these situations, the Office of the General Counsel must be involved to manage the access request.
Questions about specific cases should be directed to Stephen Lau in ITS.