Individual IT Account and Use Data Standard

Title

University Of North Carolina At Chapel Hill Standard On Providing Assistance with Individual Account and Use Data 

Introduction

Purpose

Information Technology (IT) staff are primarily responsible for the management of University IT systems and the data they contain. In some circumstances, non-IT staff are responsible for the management of a University system or its data. Applicable University policies authorize designated individuals in specified offices to access University data under defined circumstances. Information Technology and other staff are required to provide technical assistance if needed. 

This Standard is intended to provide guidance to IT staff, system administrators, and others with IT management responsibilities on how to comply with University IT policies including the University of North Carolina at Chapel Hill Policy on Access to Individual User Accounts (“Account Policy”). 

Scope

This Standard applies to:  

• Anyone responsible for University IT systems with individual accounts and systems that make durable logs or other records of individual people using a University IT system.  
• Accounts assigned to individuals on University IT systems. 
• Individual accounts regardless of data ownership. 

This Standard does not apply to: 

• Non-electronic information such as paper sign-in sheets).  
• Documents and records like classroom sign-in polls or unit “in/out” boards that are meant to be used for “presence” tracking and are known to the people using them. 
• IT staff doing technical and system management work (e.g., migration of data on systems, space management, archiving, backups, technical troubleshooting, IT security, and in the ordinary course of system management). This work is broadly permitted by policy, and this Standard adds no additional requirement or guidance. 

Section 1 (Individual User Account Data) of this Standard does not apply to: 

• Shared/unit/group accounts 
• Assisting people with their own accounts. When a person is still an active, authorized user of their account, providing technical support to help them do anything they are authorized to do is standard practice.

Standard

Background 

The Account Policy authorizes staff to perform their job responsibilities in compliance with University IT policies. IT staff may share Log and user data with:  

• Other responsible technical staff (including IT security),  
• Third parties (vendor technical support for example) for technical management purposes according to any contract in place for that service, and  
• As otherwise allowed in the Individual User Accounts Policy. 

Individual IT systems and services have particular access control methods, constraints, Service Level Agreements, contractual arrangements, regulatory requirements (FERPA, HIPAA, etc.), applicable University policies, and use processes that set higher or additional authorization requirements for data transfer or for releasing data to people who request it. This Standard sets minimum requirements and is not meant to conflict with those additional requirements. 

Section 1: Individual User Account Data 

This section is about data:  

• Created with some intention by people using IT systems, and 
• That is stored in accounts assigned only to them.  

The best example of Individual User Account data is e-mail.  

Requests for account content  

IT or other staff with IT management responsibilities must have authorization to transfer content from an Individual User Account prior to transferring any content. Authorization to transfer content may only be given by a person with authority as provided in the Account Policy. Authorization is automatically given for routine technical support activities or when the content is requested by account holders with active Onyens (given to the individual or to someone they designate.) 

If IT staff does not have authority, or if IT staff has any question about whether or how to fulfill a request they are encouraged to:  

• Seek guidance, 
• Request validation or approval from their supervisors, or  
• Request validation or approval from an appropriate campus authority.  

It is very difficult to un-fulfill a request. 

From Approved Access Units 

The Account Policy defines Units that regularly need content from Individual User Accounts in order to do their work as “Approved Access Units”. Those Approved Access Units must designate specific staff (Approved Staff Person) who are authorized to request data for the purposes outlined. 

Requirements for Approved Access Units requesting content from Individual User Accounts: 

• An Approved Staff Person from an Approved Access Unit requests assistance from a responding unit for content needed for purposes identified in the Individual Account Policy. Requests must be documented in an appropriate way. Units may specify a documentation method, or the responding staff member may use their best judgment if it is not specified.  
• Responding Units may require that specific staff or groups handle this type of request, or set up processes to ensure that responses are handled consistently and correctly. Units may work with Information Technology Services (ITS) to use intake methods already in place for their processing. 
• Responding staff verifies that the request is from an Approved Staff Person in an Approved Access Unit. 
• Privileged access to systems must occur only in compliance with IT policy to ensure systems remain secure and reliable.  
• Units opting to provide direct privileged system access to Approved Access Unit non-IT staff for the purposes defined in the Account Policy must follow appropriate access control, training, and other requirements in accordance with University IT policies.  
• Approved Access Units and units responsible for specific systems must come to agreement on managing privileged access in ways that prioritize system security, reliability, and integrity. 

Requests from other sources 

Whenever possible, access to Individual User Account data should be handled through the account holder or with their approval. When that isn’t possible or appropriate, the Account Policy sets out authorization requirements.  

Staff fulfilling requests must distinguish between:  

• Individual User Accounts of people still with the University and  
• Individual User Accounts of people who are no longer with the University.  

An active Onyen may be checked as a method to determine that the requesting unit is authorized to receive the content. A receiving unit may choose other validation methods.  

Individual Account of Active Employee 

A Unit Head may request content from the Individual User Account of someone who is or was within their unit who is still active with the University. The request requires: 

• A business justification, and  
• Approval in writing by the Provost and General Counsel (or as otherwise required in the Account Policy). 

Individual Account of Inactive Employee 

A Unit Head may request content from the Individual Account of someone who was previously within their unit but is no longer with the University. The request requires:  

• A business justification, and  
• That the Unit Head requesting was not the account-holder's supervisor. 

Requests from a Third-Party 

A third-party requestor is only allowed to request content from Individual Accounts if the data transfer was:  

• Previously authorized, or approved as an established arrangement, and 
• In compliance with the Account Policy. 

IT staff are not expected not to honor requests directly from a third-party without the requestor meeting those criteria. 

Section 2: Work-related Data Management 

This section is about data:  

• Created “behind the scenes” when people use IT systems, 
• That exist because of how systems are set up or designed to operate, and 
• Created unintentionally by the person using the system. 

The best examples of Work-related Data are System Logs. Work-related data is not the content contained in individual accounts and is usually not created intentionally by the individual. 

Background 

The University requires Units to log data following law and policy. Most University IT has Information Security policy requirements to log use in order to protect data on the systems. IT staff must follow the Information Security Controls Standard for minimum logging requirements.  

Most systems administered by IT professionals log data to facilitate troubleshooting, application support, software development, and for other routine purposes.  

Units may log data exceeding the minimum requirements as determined by IT professionals. Additional Work-related Data must be collected and maintained according to good technical practice. 

System logs and other activity data generated for IT/Data security and IT technical management purposes are complex, difficult to interpret even by experts, and are intended and created for those technical and security purposes.  

Occasionally, other uses for the Work-related Data may be requested (for research, investigation beyond IT/Data Security purposes, eDiscovery, etc.). This Standard addresses the transfer of data for those other purposes. 

Work-related Data are often stored separately from the system generating them. Retention requirements for System Logs and similar files are set by the North Carolina Records Retention Schedule. Some systems have legal, business, or audit requirements to retain Logs for extended periods.  

Many systems have files/records of user activity such as file date/times that are not strictly “Logs” in a traditional sense. This Standard, includes all Work-related Data and all types of Logs. 

Requests for Log data 

Requests for individual IT Work-related data must follow these principles: 

• Distinguish non-IT use: Requests for Log data for purposes other than technical and IT/Data security are secondary uses and require more scrutiny.  
• Check for business purpose: Log data is typically Tier 2 sensitive information. Tier 2 data may only be shared with authorized individuals for business purposes. Individual Log data may not be shared with the individual’s supervisor. (Requestors may be referred to Employee & Management Relations if the request is intended for performance management purposes.) 
• Documentation: Record secondary use requests and who/when/how they were handled, including any reviews. A central method (ticket system for example) is best.  
• Context: Log data is difficult to interpret and easy to misinterpret. Provide caution and help wherever possible (as resources allow) when releasing Log data to anyone who may not be familiar with it. 
• Pre-approved uses: Requests to support audit (Internal Audit or External-authorized Audit); eDiscovery; public records; or archives and records management made by individuals authorized under the Accounts Policy may be fulfilled without additional scrutiny.  
• Ad-hoc requests: Units may opt to apply the same decision process defined in the Accounts Policy in some or all cases. Units may also defer some or all ad-hoc requests for IT Log data to the Data Governance Oversight Group (datagov.unc.edu) for review. Requests may be reviewed after the fact if additional scrutiny is wanted. 
• Transparency: Encourage requestors to notify people that Log data about their IT activity is being used absent compelling circumstances to keep that information confidential. This would not apply to requests for properly de-identified data or aggregate data with nominal effect on individuals.  
• Education: When providing IT Log data, make sure the authorized requestor is aware of their responsibilities to:  
  • Limit its use to the intended business purpose, 
  • Share only with other authorized individuals,  
  • Manage records retention and disposal, and  
  • Apply appropriate security controls. 

Section 3. Key Points 

Staff asked to perform Data Release for Individual User Account or Work-related Data who have concerns about authorization, appropriate use, ethics, or legal compliance related to a request are encouraged to seek appropriate guidance. Campus sources of authority, such as the Institutional Privacy Office or Office of University Counsel may be consulted as appropriate. IT staff may escalate within their own management chain any concerns they have with a data release request. Or the staff may use other reporting avenues such as EthicsPoint. These paths are available before or after a Release is completed. Staff must always keep data protection needs in mind when asking for guidance. If a Release was performed in error and may involve a data breach or security incident, report that.

In some cases, a system may be set up to share information from individual accounts or showing user activity in some way that serves the purpose of that system (social media, workflow processes, publication systems, polling applications, and other examples). If the people using the system should be aware the system is doing those things, it does not violate this Standard. 

Exceptions

Third parties not under contract with the University must request through an appropriate University gatekeeper. Public Records requests must be handled according to the Policy on Public Records Requests. Legal obligations, such as eDiscovery or Law Enforcement requests must be addressed through the Office of University Counsel or another Approved Access Unit with appropriate authority. 

Definitions

Individual User Account: An arrangement by which a person is given personalized access to University IT. Examples include email, file storage, cloud, phone voicemail, and similar accounts assigned to a single individual person. 

Release: To access or move data in an Individual User Account for the purpose of allowing someone other than the person the account is registered to inspect or use that data. This may include disclosing the data to others within the University or to an external third-party. 

University IT: Any information technology or electronic communications systems, platforms, or services owned, operated, or provided by the University or any of its campus units. University IT also includes computers and devices connected to University systems or networks, or third-party systems provided under contract or on behalf of the University regardless of whether such computers or devices are owned by the University. 

University Data: includes any information the University may have a responsibility to protect. This includes University-owned data as well as data belonging to employees, students, or third parties residing or passing through University IT. 

Logs: the general term used in this Standard to include “presence data,” “activity logs,” or other names which is data created simply by connecting to or using a system.  

Related Requirements

External Regulations and Consequences 

• North Carolina General Statutes Chapter 132: Public Records
• North Carolina General Statutes Chapter 126, Article 14: Protection for Reporting Improper Government Activities 

University Policies, Standards, and Procedures 

• UNC-Chapel Hill Policy on Access to Individual User Accounts  
• Administrative Terms of Use Policy
• Information Technology Acceptable Use Policy
• Information Technology Access Control Policy
• Information Security Controls Standard 
• Policies and Procedures Under the Family Educational Rights and Privacy Act of 1974 ("FERPA")
• Policy on Prohibited Discrimination, Harassment and Related Misconduct ("PPDHRM")
• Records Retention 
• Public Records 
• Privacy of Protected Health Information Policy
• Protocol for Responding to Breaches of Protected Health Information ("PHI")
• The "Minimum Necessary" Standard for Accessing, Disclosing and Requesting Protected Health Information
• Carolina Ethics Line

Contact Information

Unit: UNC-Chapel Hill Information Technology Services

• Online: help.unc.edu request to the ITS Policy Office
• Email: its_policy@unc.edu