Standard Operating Procedure
Title: Authority to access and monitor University IT Account holder communications and data
Version: 2.0 Effective Date March 2016
Summary Describes the approval process and record‐keeping where access to account holder data is
required
When using this document please ensure that the version you are using is the most up to date either by checking on the University’s online document system http://documents.manchester.ac.uk/list.aspx for any new versions.
1 Background and purpose The University’s Regulation XV reserves the right for the University to monitor and/or investigate general computer and network usage, including email traffic and the use of the internet, in order to detect any breach of this Regulation or of the law. However, no IT Account holder is permitted, as a matter of routine, to access a user’s IT Account or monitor their use of University IT facilities. Where it is believed to be necessary to monitor usage or to access an IT Account, communications and/or other data held or transmitted using University‐provided IT facilities, the requirements of this Procedure must be observed. The purpose of this document is to describe the procedure for monitoring the use of University IT facilities and accessing an IT Account and/or IT Account data. It applies to the use of all University IT facilities and may require access to files and electronic communications, including email and details of telephone and internet activity, whether stored or in transit. The implementation of this Procedure will: provide clarity to all users of University IT facilities regarding privacy expectations; ensure consistency of procedure across the University; and clarify the roles and responsibilities of those involved in approving and accessing IT Account data. 2 Definitions and scope For the purpose of this Procedure the following definitions apply: University IT facilities means all University IT facilities and services, including all: physical or virtual computers, whether servers, desktops, terminals or mobile devices; peripherals such as monitors, keyboards and printers; computer networks, including wireless and telecommunications networks; software and data on University IT facilities; computer‐based information systems provided for any purpose; and devices not owned by the University which are connected to the University network. IT Account means the account pursuant to which users are granted access to University IT facilities. IT Account holders include all staff, students or other authorised users of University IT facilities who have been given an IT Account. IT Account data includes: material stored by or about an IT Account holder, on a computer or other storage device provided by the University, e.g., data files, usage data; information in transit between, to and/or from IT Account holders, e.g., email messages sent, web pages visited using University IT facilities; and metadata obtained through routine logging pertaining to the activities carried out by the IT Account holder.
IT Account access includes: interception of IT Account data; examination of IT Account data; and monitoring IT Account data and use of University IT facilities. “Restricted” and “Highly Restricted” information security categories relate to confidential or sensitive data which requires enhanced security, “Highly Restricted” information requiring the highest level of security. Authorised Persons – staff who are responsible for authorising IT Account access: Staff accounts ‐ both: the “HR Authoriser” ie the Director of HR or their nominees AND the “IT Authoriser “ ie the Director of IT or the IT Risk Manager. Student accounts – both: the “Student Authoriser” ie the Director for the Student Experience or nominee AND the “IT Authoriser” ie the Director of IT or the IT Risk Manager. Designated Staff – specific IT staff who have been authorised to access the IT Account data, either through their job description or with written authorisation from the IT Authoriser. 3 Procedure and responsibilities 3.1 Consequence of non‐compliance with this Procedure Compliance with this Procedure is mandatory and non‐compliance must be reported to the Director of IT Services who will determine the action to be taken. Staff must note that any breaches of this Procedure may be treated as misconduct under the University’s relevant disciplinary procedures and could lead to disciplinary action. Serious breaches of this Procedure may constitute gross misconduct and lead to summary dismissal. 3.2 Circumstances where IT Account access may be required: IT Account access may be required in order to achieve a number of objectives including the following: 3.2.1 to ensure the effective and authorised operation of systems (routine monitoring which involves some logging of system usage): Designated Staff may intercept certain communications where the interception is for purposes connected with the provision or operation of a service, for example but not limited to: eliminating unsolicited commercial email; dealing with activities which put University IT facilities at risk or adversely affect performance; and/or blocking and/or logging access to websites whose content is illegal or a security threat. Most routine monitoring does not identify the contents of communications. Where the individual is identifiable, the approval procedure described in this Procedure must be followed before any access or monitoring takes place; 3.2.2 to prevent or detect crime: a number of other non‐University bodies, including the police, may be allowed IT Account access in certain circumstances and there is a separate procedure for managing information requests from third parties. However, in dealing with any third party requests for IT Account access, the requirements of this Procedure must, to the fullest extent possible, be observed;
3.2.3 to establish compliance or non‐compliance with University statutes, ordnances, regulations, policies and procedures: for example but not limited to: suspected unacceptable use of University IT facilities and/or suspected breach of terms of contract of employment, which might involve monitoring the extent to which communications are relevant to the business of the University; and routine monitoring, such as that described in section 3.2.1, or other evidence discovered as a result of IT operational activities, may also trigger concerns regarding potential breaches of University policies and procedures which warrant further investigation; 3.2.4 to access IT Account data for University business purposes: for example but not limited to: where a member of staff or a student is absent and access to their account is required to complete a piece of work; where a member of staff or a student leaves the University and requests access to data held on University IT facilities; and to comply with a Subject Access Request under the Data Protection Act 1998, where the IT Account holder is unwilling or unable to co‐operate; and 3.2.5 to protect or provide support for the welfare of an individual, e.g., where the University has serious concerns regarding the safety of an individual. 3.3 Approval of requests for IT Account access A summary of this procedure is shown in Appendices A and B. Each individual act of monitoring must be specifically authorised and documented as described in this section 3.3 and section 3.4 below. 3.3.1 Requests for IT Account access for the purposes outlined in section 3.2 above must be submitted using the prescribed “IT Account Access Request” form (“Access Form” – see Appendix C). The Access Form must be completed by the IT Account holder’s line manager or nominee in the case of access to staff IT Accounts, or by the relevant Head of School Administration or nominee (“HoSA”) in the case of student accounts. Where courses are not run at a School level (eg foundation studies) the Director of Faculty Operations or nominee (“DoFO”) must complete the Access Form. Requests for IT Account access from third parties, including ex‐staff and/or ex‐students, must be directed to the Records Management Office. Where appropriate, the Records Management Office will submit the completed Access Form directly to the IT Authoriser. 3.3.2 The line manager or HoSA/DoFO, as applicable, will usually contact the IT Account holder to obtain their consent for IT Account access; however consent will not need to be sought, for example, where: such IT Account access is required to ensure the effective and authorised operation of systems (see section 3.2.1 above); and/or notifying the IT Account holder would be prejudicial to an investigation (see 3.2.2 and 3.2.3 above). Any consent obtained must be noted on the Access Form and any evidence of consent provided by the IT Account holder must be kept with the Access Form and forwarded to the relevant IT Authoriser. 3.3.3 Where consent is not, or cannot be, given, or it is not appropriate to seek consent and there is no alternative way to obtain the required information, the request for IT Account access must be authorised as follows: staff IT Accounts – HR Authoriser; student IT Accounts – Student Authoriser. 3.3.4 Requests for IT Account access will only be considered for access to specific information, not for general access to the IT Account holder’s data, and for as short a period of time as possible.
IT Account access must be justified by providing: a compelling reason why IT Account access is necessary; an explanation of how the information to be accessed will support the reason for the request; an assessment of the impact on any individuals, other than the individuals for whom IT Account access is being requested. Any IT Account access must be carried out with as little disruption as possible to the communications of third parties that are unconnected to the authorised access. IT Account access for business purposes will only be considered in exceptional circumstances, as appropriate business processes should avoid the need for such requests, e.g., through the use of shared folders or role email accounts. Such requests for IT Account access must demonstrate that a delay in accessing the data will cause disproportionate damage to the University’s interests. 3.3.5 The relevant IT Authoriser must approve all authorised requests for IT Account access. Approval may be declined if the data requested cannot be reliably obtained or is excessive for the required purpose. 3.3.6 The right to access the IT Accounts provided to visitors or temporary users of the wireless network, and details of the obligations attached to such access, must be included in the terms and conditions for that service. 3.4 IT Account access 3.4.1 Once approved, the process of accessing IT Account data must be undertaken by Designated Staff acting under the direction of the IT Authoriser. The prescribed procedures must be followed as appropriate to the circumstances, together with any relevant templates for reporting. The following general principles apply. 3.4.2 Designated Staff: are required to observe the strictest confidentiality when accessing IT Account data; must access, monitor or record IT Account data only to the extent necessary to establish facts with minimal intrusion and disruption to others that are unconnected to the authorised access; must follow the prescribed procedures appropriate to the circumstances eg obtaining digital evidence; must ensure that only the specific authorised IT Account data is accessed and that other data is not read or disclosed. However, the University cannot guarantee that in the course of accessing any IT Account data, inadvertent viewing of the IT Account holder’s personal, non‐University data will not occur, where University IT facilities have been used to store such data; must keep a record of the operations carried out and the IT Account data accessed; must inform the IT Authoriser when the access or monitoring activity has ceased; and after the necessary information has been retrieved, must ensure that all investigative access is revoked. 3.4.3 If, in the process of accessing IT Account data, Designated Staff discover suspected activity which is in breach of the University’s Acceptable Use Policy, this must be escalated back to the Authorised Persons for consideration as to next steps. 3.5 Record keeping 3.5.1 A copy of the Access Form and any consent provided by the IT Account holder must be retained by the IT Authoriser for audit purposes and evidence that this Procedure has been followed. The Access Form, including forms for requests which have been rejected, must be retained by the IT Risk Manager for a period of time in line with the University’s Records Retention Schedule, as appropriate to the type of IT Account holder eg staff record. 3.5.2 Any data obtained or reports created as a result of the authorised access must be: treated as Highly Restricted and must only be examined by those persons who are authorised to do so by the HR or Student Authoriser; retained only for as long a period as deemed necessary for the specific purpose and in line with the University’s Records Retention Schedule;
stored securely and labelled accordingly depending on the sensitivity of the material involved; and made available to the IT Account holder, if requested. If the access or monitoring does not uncover any material which would warrant further action, all reports and copies of material accessed must be destroyed after 28 days. 3.6 Next steps Any reports or records obtained or created as a result of the authorised access will be sent to the HR or Student Authoriser who will determine what further action needs to be taken, and with whom the information will be shared. 4 Monitoring compliance with the Procedure 4.1 Enforcement The Director of IT is responsible for ensuring that this Procedure is followed prior to any access or monitoring taking place. 4.2 Audit The authorisation documentation required as part of this Procedure will be audited periodically. 4.3 Reporting A summary report will be provided for the Information Security Governance Group comprising: the number of occasions which call upon this procedure – reports will be provided by the IT Risk Manager; the key factors giving rise to the requirement for access or monitoring, and actions planned or taken to mitigate future requests; and any lessons learned to improve the Procedure. 5 Review of Procedure This Procedure will be reviewed at least every two years or when significant changes are required. 6 Contact list for queries related to this procedure
Role Name Telephone email
Director for Student Admissions and Administration Sarah Beer 0161 275 2082 Sarah.Beer@manchester.ac.uk Information Security Manager Barbara Frost 0161 275 2122 Barbara.Frost@manchester.ac.uk HR Policy Manager Karen Scoresby 0161 306 5753 Karen.Scoresby@manchester.ac.uk
IT Risk Manager Mike Vale 0161 306 3541 Mike.Vale @manchester.ac.uk
Version amendment history
Version Date Reason for change
1.0 Dec 2014 Creation 1.1 Dec 2014 Amendment to emphasise the procedure for third‐party requests 2.0 March 2016 Reduction in the number of IT Authorisers Document control box
Policy / Procedure title: Authority to access and monitor University IT Account holder communications and data Date approved: March 2016 Approved by: Information Security Governance Group and HR sub‐committee of PRC Version: 2.0 Supersedes: Authority to access and monitor University IT Account holder communications and data v1.1 Previous review dates: December 2014 Next review date: January 2018 Related Statutes, Ordinances, General Regulations: University General Regulation XV Related policies: Acceptable Use Policy: http://documents.manchester.ac.uk/DocuInfo.aspx?DocID=16277 Related procedures: Standard operating procedure – Acceptable Use ‐ Staff:
http://documents.manchester.ac.uk/DocuInfo.aspx?DocID=16221 Standard operating procedure – Acceptable Use ‐ Students: http://documents.manchester.ac.uk/DocuInfo.aspx?DocID=16220 IT account access request form: http://documents.manchester.ac.uk/DocuInfo.aspx?DocID=23216 Related guidance and or codes of practice: Related information: Equality relevance outcome: Policy owner: Director of IT, Director for the Student Experience, Director of HR
APPENDIX A
Line Manager forwards Access form to Director of
HR or nominee (“HR Authoriser”) for approval
Yes
No
IT Account holder provides consent in writing to allow access to their IT Account
or data
Relevant IT Authoriser approves the request
IT Authoriser forwards a copy of the approved
Access Form to the Designated IT staff
No
Designated IT staff follow the relevant procedure eg SOP for collection and
acquisition of digital evidence
Request rejected and HR Authoriser informed HR Authoriser approves
request Yes
Request rejected
The Access Form is filed by the relevant IT Authoriser, together with
any comments on approval or rejection and
evidence of consent No
Designated IT staff provide data and/or reports to the HR
Authoriser
HR Authoriser determine if further action is required
Depending on the action required, all records will be
kept in accordance with 4.4 of this SOP
PROCEDURE FOR APPROVING INTERNAL REQUESTS TO
ACCESS THE IT ACCOUNTS OF STAFF
Yes IT staff detect suspected
misuse of University IT facilities and inform relevant IT Partner, Head
of Digital Technologies and Services, or Director
of IT or nominee (“IT Authoriser”)
IT Authoriser discusses incident with the relevant
line manager who arranges for the Access Form to be completed if further investigation is
required Line Manager or nominee
completes IT Account Access Request form (“Access Form”) and, where possible or appropriate, forwards to IT Account holder for consent
Line Manager forwards Access Form to IT Authoriser, together with
evidence of consent
Please note that requests for access to IT accounts from external parties eg parents, ex-staff, ex-students, police etc must be directed to the Records Management Office. Where appropriate the RMO will submit the completed Access Form directly to the IT Authoriser.
Designated IT staff provide data and/or reports to the line manager where the account holder provided
consent
APPENDIX B
APPENDIX C
IT ACCOUNT ACCESS REQUEST [This form can be found as a separate document on
http://documents.manchester.ac.uk/DocuInfo.aspx?DocID=23216 ]
This form is to be used to request authorisation to access or monitor an IT Account in accordance with the University’s Standard Operating Procedure for accessing and monitoring University IT Account holder communications and data http://documents.manchester.ac.uk/DocuInfo.aspx?DocID=16278 . Please ensure that you have read the Procedure prior to completing this form. SECTION 1 To be completed by the person making the request: Staff IT Accounts – completed by Line Manager or nominee Student IT Accounts – completed by Head of School Administration or Director of Faculty Operations or nominee Name of person issuing request Job title School/Directorate Date of request Details of the account holder whose data will be accessed: Name Username eg mtsxxxxx Staff or Student ID number (library card) State the precise nature of the data to be accessed or monitored. Consider carefully whether there might be any likely adverse impact of the access/monitoring arrangement eg impact on the relationship of mutual trust, extent of intrusion into the user’s private life, third parties who may be affected by the arrangement. State the business reason why monitoring or access is required. This must include an explanation of why obtaining access is a proportionate response. Have you considered alternative ways of getting this information? Has the account holder given consent? Any evidence of the consent provided by the account holder, or attempt to gain consent, must be kept with this form and passed to the IT Authoriser. State the required duration of the proposed activities eg duration of monitoring or access, periods requiring investigation: SECTION 2 To be completed by the Authorised Person where consent is not obtained from the IT Account holder: Authorised Person for Staff IT Accounts – Director of HR or nominee Authorised Persons for Student IT Accounts – the Director for the Student Experience or nominee Request granted, amended or rejected and reasons for decision:
Name of person authorising this request: Job title: Date authorised or rejected: SECTION 3 Authorisation for IT staff to undertake the work: to be completed by the relevant IT Authoriser ie the Director of IT or the IT Risk Manager Request granted, amended or rejected and reasons for decision eg explanation of why the request might not provide reliable evidence; cost of obtaining evidence compared to benefit it provides: Designated Staff who will be accessing the data or undertaking the monitoring (record all staff who are to be involved in the investigation): Name: Job title: Name of person authorising this request: Job title: Date authorised or rejected: The completed form must be retained by the IT Authoriser as evidence that the procedure has been properly followed.