Access to Individual User Accounts Policy

Title

University of North Carolina at Chapel Hill Policy on Access to Individual User Accounts

Introduction

Purpose

The University of North Carolina at Chapel Hill ("UNC-Chapel Hill" or "University") owns, operates, and/or controls various information technology (IT) resources. These resources are collectively known as "University IT." People who use University IT must follow University policies and procedures that govern how University IT may be used. 

The University has the right and ability to access and review information stored in Individual User Accounts on University IT. The purpose of this Policy is to clarify who is allowed to access or release information stored in Individual User Accounts, why the University needs access to Individual User Accounts, and what safeguards are in place to prevent abuse.

Scope

This policy applies to all Individual User Accounts, and access to them.

Access to, or use of, Individual User Accounts of University Students may be subject to additional or different requirements.

Accounts where more than one person is granted access are considered shared accounts. Some examples of shared accounts not subject to this policy include shared Outlook mailboxes; shared workspaces on Microsoft, Wordpress, Adobe, Qualtrics or other platforms; cloud or other storage assigned to groups at the University; and social media and other accounts operated on behalf of University units. Shared accounts may be accessed by the University without restriction.

Policy

A. Who Is Allowed to Access or Data Release Individual User Account Data

Approved Access Units

Approved Staff in an Approved Access Unit (as identified in Attachment A) may directly access Individual User Accounts under this policy or request technical assistance to retrieve data content from such accounts, for the reasons listed in Attachment A.

Each unit covered by Attachment A must establish processes that are appropriate for the type of access they perform. The processes must keep access limited to the reasons described in Attachment A. The processes must include the ability to elevate a request to a supervisor for approval where the Approved Staff believes that is necessary.

The head of each Approved Access Unit (other than IT units) or their designee, is responsible for:

  • Designating Approved Staff authorized to access and review Individual User Accounts, including responding to IT Access Control reviews as required, and
  • Providing guidance to Approved Staff, including safeguards for appropriate use, consistent with the reasons set out in Attachment A.

Approved Staff who access Individual User Accounts or request account data content under this policy must comply with all other applicable legal and University requirements.

Approved Access Units may share data, consistent with law and University policy, for the purposes for which the data was accessed and released. This may be with other units of the University (the Institutional Privacy Office for example) or with third parties (a regulatory or other agency for example).

All Other Campus Units or Departments

Apart from the access described above, and in order to conduct University business without interruption, the University may, from time to time, need data from active Individual User Accounts that either does not fall into the categories described in Attachment A, or is needed by units other than Approved Access Units, and that cannot be reasonably obtained directly from the person whose account is needed. In that case, the head of a University unit or department may request data from Individual User Accounts under the following circumstances:

  • The request must be for legitimate business purposes;
  • The request must be limited to what is reasonably necessary for the legitimate business purpose; and
  • The University's Provost and General Counsel must approve the request in writing or by other electronic means if the Individual User Account is assigned to a person who is currently affiliated with the University.
    • If the request for data is for an Individual User Account assigned to User in the Office of the General Counsel or the Office of the Provost, then the approval must be sought from the unaffected office as well as the Vice Chancellor of Institutional Integrity and Risk Management.

Other Allowable Access

Nothing in this policy should be interpreted to limit or contradict any other law, regulation, or policy that requires or permits access to Individual User Accounts for the purposes stated in that law, regulation, or policy. People may authorize access to their own Individual User Accounts, in compliance with other University policies, regulations, and applicable law. 

B. Data Preservation

Some Individual User Accounts may be put on hold by the University (commonly called "legal" or "litigation" hold). This can happen for many reasons and must have legal or business justification. In many cases, the account User will be aware of the hold, but not in every case. A hold is not the same as accessing the data in the account. 

University IT organizations may remove any Individual User Accounts not on hold in compliance with law and policy and according to routine practices. 

C. Public Record

Electronic information and communications made or received in connection with the transaction of public business including that transmitted through or stored on University IT may constitute a public record subject to disclosure under the North Carolina Public Records Act or other laws. 

D. Discrimination, Harassment, and Retaliation

Access and requests for data governed by this policy must not violate the University’s policies on prohibited discrimination, harassment, and retaliation. 

E. Penalties

Access to Individual User Accounts in violation of this policy is unethical and may result in discipline, up to and including dismissal. People requesting or obtaining data from an Individual User Account under this Policy are expected to adhere to the requirements of this policy.

Exceptions

Exceptions may be made in writing by the Chancellor or Provost. 

Definitions

For the purpose of this Policy:

"Agent" means a person with authority to act on behalf of the University, such as an employee or contractor.

"Approved Staff" means UNC-Chapel Hill employees or contractors with specific job responsibilities that require access to Individual User Accounts.

"Approved Access Unit" means UNC-Chapel Hill campus units with specific job responsibilities that require access to Individual User Accounts, listed in Attachment A.

"Individual User Account" means an arrangement by which a person is given personalized access to University IT. Examples include email, file storage, cloud, phone voicemail, and similar accounts assigned to a single individual person.

"Release" means to access or move data in an Individual User Account for the purpose of allowing someone other than the person the account is registered to to inspect or use that data. This may include disclosing the data to others within the University or to an external third-party.

"University IT" means any information technology or electronic communications systems, platforms, or services owned, operated, or provided by the University or any of its campus units. University IT also includes computers and devices connected to University systems or networks, or third-party systems provided under contract or on behalf of the University regardless of whether such computers or devices are owned by the University.

Related Requirements

External Regulations and Consequences

University Policies, Standards, and Procedures

Contact Information

Policy Contact

Official: UNC-Chapel Hill Vice Chancellor for Institutional Integrity and Risk Management

  • Email: gbattle3@unc.edu

Other Contacts

Unit: UNC-Chapel Hill Office of University Counsel

  • Email: OUC_Data_Release@unc.edu

Unit: UNC-Chapel Hill Information Technology Services

  • Online: help.unc.edu request to the ITS Policy Office
  • Email: its_policy@unc.edu

Attachment A

Approved Access Units
Approved Access Unit Permissible Purposes
ITS and other campus IT units providing systems with Individual User Accounts.

May directly access necessary to:

  • Perform routine maintenance;
  • Perform troubleshooting of hardware, software, and IT services;
  • Investigate or prevent unauthorized access and use of University IT;
  • Perform access control reviews;
  • Move data;
  • Review logs;
  • Assist any campus unit that receives permission pursuant to the policy; and
  • Other IT functions performed in the normal course of business, including facilitation of other permitted access and data disclosure activities and IT security work.
Internal Audit

May directly access or request assistance to access necessary to:

  • Fulfill campus unit business purposes, including conducting University audits, special projects, investigations, and consultative engagements.
Office of University Counsel

May directly access or request assistance to retrieve data necessary to:

  • Comply with legal requests for information, including subpoenas, discovery requests, court orders, public records requests, lawful requests of any kind from state, federal, or international governance agencies;
  • Respond to requests for personal data of deceased or incapacitated Users by estate or other personal representatives with lawful authority;
  • Investigate and/or respond to reports of violations of University policy or local, state, or federal law;
  • Assist any Approved Access Unit with their responsibilities; and
  • Assist any campus unit that receives permission pursuant to the policy.
Public Records Office

May directly access or request assistance to retrieve data necessary to:

  • Respond to public records requests.
University Archives

May directly access or request assistance to retrieve data necessary to:

  • Manage University records according to applicable requirements.

Details

Article ID: 132145
Created
Thu 4/8/21 9:24 PM
Modified
Wed 5/10/23 3:41 PM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
05/10/2023 12:00 AM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
Vice Chancellor for Institutional Integrity and Risk Management
Last Review
Date on which the most recent document review was completed.
05/10/2023 12:00 AM
Last Revised
Date on which the most recent changes to this document were approved.
05/10/2023 12:00 AM
Next Review
Date on which the next document review is due.
05/10/2025 12:00 AM
Origination
Date on which the original version of this document was first made official.
02/27/2002 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Division of Institutional Integrity and Risk Management

Related Articles (1)

Adams School of Dentistry: Choose Your Own Device Policy
The UNC-Chapel Hill Adams School of Dentistry has a legal and ethical responsibility to safeguard patient information. This responsibility includes ensuring that devices storing Protected Health Information ("PHI") or other Sensitive Information are properly encrypted and are serviced by an appropriate vendor. The purpose of this Policy is to ensure that all Computing Devices used by students will meet institutional security requirements.