6.1.1 Privacy and Access to Electronic Information
Formerly Known As Policy Number: 61
This guide memo establishes a policy on privacy in Electronic Information and the circumstances under which Electronic Information may be accessed and/or disclosed without User Consent.
1. Summary
a. Purposes of Policy
Establish a policy on privacy in Electronic Information and the circumstances under which Electronic Information may be accessed and/or disclosed without User Consent.
b. Scope
This policy applies to:
- All University Information Technology (IT) Resources;
- All Users of University IT Resources, including staff, faculty, students, contractors, volunteers and visitors; and
- All Electronic Information.
Definitions of terms used in this policy are provided, below, in Section 2.
This policy does not apply to the routine use of Electronic Information by those who send and receive Electronic Information in the expectation that the Electronic Information will be used by intended recipients and others in the normal course of their duties. Additionally, a User who holds records for the university may not deny Access to those records to others within the university with a need for those records to conduct university business. Rather, this policy applies to Access to Electronic Information by university officials and others who would not routinely use the Electronic Information but would do so in order to fulfill special conditions of university business, or to respond to legal demands from outside the university, as described in Section 4, Access Without User Consent, below.
c. Principles
Communication among members of the Stanford University community is essential for all university operations, teaching, and research. This communication can take many forms, including through the use of University IT Resources. Stanford University encourages the use of University IT Resources to share information and knowledge in support of the university's mission of education, research, and public service, and to conduct the university's business. To this end, the university provides and supports a broad array of electronic communications services and facilities.
Because the University provides IT Resources to facilitate electronic communication and data storage, the University could Access Electronic Information and the scope and ease of this Access likely surpass that which the university has to non-electronic data, cell phone calls, or other personal conversations among its faculty, staff, and students.
This policy therefore sets out guidelines and processes that apply when the university seeks Access to Electronic Information. Our goal is to act in accordance with the university’s legal and ethical obligations, while also seeking to maintain an environment in which free academic inquiry thrives. This policy, along with federal, state, local and, in some circumstances, foreign laws, provides the rules and procedures under which the university may Access and disclose electronic information.
Accordingly, the policy is grounded on seven important principles:
- Access should occur only for a legitimate purpose;
- Access should be authorized by one or more appropriate and accountable people;
- Except as described herein, when the university is subject to a legal process to release a User’s Electronic Information to a third-party outside of the university, it should give Notice to the User before releasing the requested information;
- Except as described herein, the university should obtain User Consent before a User’s Electronic Information is Accessed;
- Access should be limited to the minimum Electronic Information necessary to accomplish the purpose, and the university should take reasonable steps to avoid Access to information on private machines that it has no reason to believe is university information;
- Sufficient records should be kept to enable appropriate review of compliance with this policy; and
- The process for access should be transparent and reviewable by the Steering Committee of the Faculty Senate as described in 5.e. (Transparency and Access Records).
In general, the University does not Access or disclose Electronic Information without User Consent. The university may Access or disclose Electronic Information without User Consent only under the limited circumstances as described in this policy. Moreover, before releasing a User’s Electronic Information pursuant to legal process, the university will make reasonable efforts to give notice of the third-party request.
2. Definitions
The following definitions apply to this policy. Knowledge of these definitions is important to understand this policy.
Access: Review, use, or disclosure of Content or Activity Data that is beyond the incidental contact with Electronic Information in the course of providing University IT systems. For the avoidance of doubt, mere preservation of Electronic Information is not considered Access until review or disclosure occurs.
Authorizing Official: The Authorizing Officials include the: President, Provost, Vice President of Business Affairs, General Counsel, Vice Provost of Student Affairs, Vice President for Human Resources, Senior Associate Vice President and Chief Risk Officer, and the Chief Privacy Officer, as appropriate depending on the rationale for Accessing Electronic Information. Each of these Authorizing Officials may designate a deputy to authorize access for circumstances in which the identified officer is unavailable. Additionally, the Chief Information Security Officer is an Authorizing Official for System Protection, Maintenance, and Management.
Electronic Information: Electronic Information consists of both of the following types of information:
- Content: The substance, purport or meaning of communications between two or more people, or files created on, transmitted through or stored in University IT Resources, including information that a User backs up on University IT Resources from a User-owned device, and
- Activity Data: Data automatically generated by use of University IT Resources, including records of Internet use and logs of access to university facilities, and which are accessible from systems maintained by the university or its agents.
Compelling Circumstances: Circumstances in which obtaining User Consent could result in bodily harm to humans or animals, significant property loss or damage, or destruction of evidence.
Emergency Circumstances: Circumstances in which time is of the essence and the university needs to act immediately to protect against bodily harm to humans or animals, or significant property loss or damage.
Notice of Third Party Request: With regard to circumstances in which an outside party is seeking Electronic Information of a User through any legal process, such as a court order, subpoena, warrant, government investigation, or civil litigation demand involving the University, notification to the User of the request prior to the release of the requested Electronic Information and as further described in section E.5., Transparency and Access Records, below.
University Investigation: An allegation, which in the judgment of the General Counsel, the Vice President for Human Resources, or Senior Associate Vice President and Chief Risk Officer, requires investigation of a potential violation of law or a University policy listed in Appendix A, Policies Relating to Access Without Consent. University Investigation also includes an audit conducted at the direction of the Office of the Chief Risk Officer to ensure ongoing university compliance in the areas subject to Appendix A.
University IT Resources: All computer and communication devices, services, networks, and other technologies that access, store, or transmit personal or university information and that are owned, provided, or administered by or through the university, regardless of whether they are owned or controlled by the university or by an external electronic service provider with which the university contracts.
User: Any person or entity who:
- Uses University IT Resources to create, download, store, transmit, or process information of any kind; and
- Is authorized to use University IT Resources.
User Consent: Following a description of the purpose and the extent of a request for Access to Electronic Information, express consent to Access, use, and/or disclose Electronic Information by one or more Users:
- Who are a party to, as either a creator, sender, or recipient of, Electronic Information Content, or
- Whose Activity Data is sought.
3. Privacy and Confidentiality
a. Introduction
The university recognizes that academic freedom, shared governance, and freedom of speech require personal privacy. This policy seeks to ensure these firmly-held principles within the context of compliance with the university’s legal and other obligations. The university respects the privacy of Electronic Information in the same way that it respects the privacy of paper correspondence and telephone conversations. Simultaneously, the university seeks to ensure that university administrative records are accessible for the conduct of the university's business and seeks to meet its obligations to justify the use of private and public funds, investigate allegations of research misconduct or violation of standards of authorship, conduct fact-finding and remediation for suspected violations of the ethics and law of research using humans and animals, and inquire into and resolve allegations of noncompliance or of misconduct, such as discrimination, harassment, theft, extortion, blackmail, or acts or threats of violence.
b. Information Available to the University
As an Internet service provider, an electronic communications service provider, a backup provider, a storage provider, and more, the university is capable of accessing Electronic Information generated by User interaction with these services. Even when using personally owned devices, user interactions with University IT Resources generates Activity Data that can often be attributed to an individual while also identifying that person’s physical location to varying degrees of precision. Users should be aware that the university has or could have Access to many categories of information, including but not limited to those described in Appendix B.
All Users might be involved in circumstances over the course of their time at Stanford in which Electronic Information could legitimately be accessed by the university under Section 4, Access Without User Consent, below. Therefore, the university advises all Users who use university resources for personal matters that the university might Access Electronic Information pertaining to such matters under this policy. Accordingly, the best protection Users have to keep the university from Accessing private personal matters, is to keep such matters off of university resources. To the extent Users wish to keep private from the university such personal matters, the Users should consider using non-university resources for such matters.
Even under circumstances in which the university may legitimately Access Electronic Information under this policy, it will not disclose such Accessed Electronic Information to third-parties absent Notice of a Third Party Request and/or User Consent, unless (a) required to do so by law or legal process; (b) to protect life or property; or (c) to report a crime relating to or indicated by the Electronic Information.
c. Privacy Obligations of University Employees and Agents
This policy prohibits university employees and their agents from Accessing Electronic Information except in accordance with this policy. University employees shall take necessary precautions to protect the confidentiality of personal information encountered either in the performance of their duties or otherwise. University contracts with outside vendors that will have access to personally identifiable Electronic Information shall include references to this policy, to applicable privacy laws that protect the information, or language that limits the third-party contractor from using the information for any purpose other than to perform the services of the Agreement, or as required by law.
In addition to legal sanctions, violators of this policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to university policies and collective bargaining agreements. If a User’s Electronic Information has been Accessed in violation of this policy, the affected individual should be promptly notified. Where such a policy violation also requires a legal notification under an applicable law, the legal notice will serve as the notification required under this section.
d. Audio or Video Conversations
In compliance with law, conversations shall not be recorded or monitored without advising all participants, unless a court has explicitly ordered such monitoring or recording to occur without notice. Emergency services shall record 911-type emergency calls in accordance with federal and state laws and regulations.
Callers shall be informed when a call is being monitored or recorded for the purpose of evaluating customer service, assessing workload, or any other business purpose permitted by law.
4. Access Without User Consent
Except as otherwise provided in this policy, the university will obtain User Consent prior to any Access except under the conditions described below.
a. System Protection, Maintenance, and Management
University IT Resources require ongoing maintenance and inspection to ensure that they are operating properly; to ensure they are in compliance with regulatory and contractual obligations; and to protect against security threats such as cyber attacks, malware, and phishing. University IT Resources also require regular management, for example, in order to deploy software updates. Accordingly, to perform this work, the university and its approved vendors may scan or otherwise Access Electronic Information without User Consent.
The Chief Information Security Officer may authorize Access for System Protection, Maintenance, and Management.
In that process, University IT personnel may observe certain Activity Data or other Electronic Information. Except as provided elsewhere in this policy or by law, University IT personnel are not permitted to seek out Electronic Information, including Contents or Activity Data, when not germane to system operations and support. Any unavoidable examination of Electronic Information shall be limited to the minimum required to perform such duties. This exception does not exempt systems personnel from the prohibition against disclosure of personal or confidential information.
If, in the course of their duties, University IT personnel inadvertently discover or suspect violations of law or university policy listed in Appendix A, such personnel may preserve the data and report such violations.
Where possible, the university will provide minimally invasive tools to manage User devices and adopt minimally invasive tools to monitor network security without unneeded institutional access.
b. Emergency Circumstances
The University may Access Electronic Information without User Consent in Emergency Circumstances, in which time is of the essence. One Authorizing Official may authorize Access using the least intrusive means to obtain the information necessary to assess and resolve the emergency. The Authorizing Official should weigh the need for Access against other university concerns, including academic freedom, personal privacy, the integrity of University operations, protection of life and property, and determine that the need for Access outweighs any countervailing considerations.
c. Compelling Circumstances
For Compelling Circumstances, two Authorizing Officials must authorize Access to Electronic Information. When this happens, the Authorizing Officials must make a factual determination that the university investigation/purpose has a sufficient basis to support Access without User Consent. Additionally, the Authorizing Officials should weigh the need for Access against other University concerns, including academic freedom, personal privacy, integrity of university operations, compliance with law and policies listed in Appendix A, protection of life and property, and determine that the Access of Electronic Information will advance a legitimate institutional purpose and that such need outweighs any countervailing considerations. Only Electronic Information reasonably necessary to assess and/or address the Compelling Circumstances may be accessed or disclosed.
d. Operational Circumstances
The university may Access Electronic Information without User Consent under circumstances in which failure to access the Information would likely cause the University to fail to meet mission-critical governance, administrative, teaching, or research obligations.
For Operational Circumstances, two Authorizing Officials must authorize Access to Electronic Information. When this happens, the Authorizing Officials must make a factual determination that the operational circumstances have a sufficient basis to support Access without User Consent. Additionally, the Authorizing Officials should weigh the need for Access against other University concerns, including academic freedom, personal privacy, and integrity of university operations, and determine that the Access of Electronic Information will advance a legitimate institutional purpose and that such need outweighs any countervailing considerations. Only Electronic Information reasonably necessary to assess and/or address the Operational Circumstances may be accessed or disclosed.
e. University Investigations
The university may Access Electronic Information without User Consent in order to conduct a university investigation of an alleged violation of a legal requirement or a policy listed in Appendix A. Two Authorizing Officials must authorize Access to Electronic Information for university investigations. When this happens, the Authorizing Officials must make a factual determination that the investigation has a sufficient basis to support Access. Additionally, the Authorizing Officials should weigh the need for Access against other university concerns, including academic freedom, personal privacy, the integrity of university operations, compliance with law and policy, protection of life and property, and determine that the Access of Electronic Information will advance a legitimate institutional purpose and that such need outweighs any countervailing considerations.
f. The Identity of the User is Unknown
The university may Access Electronic Information without User Consent when the identity of the User is unknown in order to investigate violations of law or of the university policy. Once the identity of the User is determined, the university may have an obligation under this policy to obtain User Consent for future Access.
g. Legal Process
All requests for Electronic Information arising from legal process, such as search warrants, court orders, national security letters, subpoenas, or other demands related to government investigations or university litigation, must be referred to the Office of the General Counsel or the General Counsel’s designee (OGC). The OGC is responsible for ensuring Notice of a Third Party Request, authorizing Access, and release of Electronic Information under this circumstance.
If a person is identified by name in the legal process as the person whose records are being sought, then the university will make reasonable efforts to provide Notice of a Third Party Request to the person/User before Accessing or disclosing Electronic Information and with sufficient notice to enable the User to object in court to the legal request.
Under circumstances in which the university does not have evidence that a User has received a copy of the Court Order or Subpoena, the university will either provide a copy of the request to the User using the cover sheet (or its equivalent) provided in Appendix C or in the alternative will make reasonable efforts under the circumstances to provide verbal or written communication to an affected User:
- that an outside party requests that the Users’ Electronic Information be Accessed;
- the identity of the requester of the Electronic Information;
- the reason for the request, if known;
- the scope of Electronic Information subject to the request; and
- whether the User’s consent is required before the University will Access the information.
A User who does not want information to be released by Stanford should contact the Office of the General Counsel. If university Electronic Information is at issue, the university will work with the User to determine if moving to quash the subpoena is appropriate. If the User’s personal information is at issue (for example, pay records subpoenaed in a personal injury litigation), the User is responsible for moving to quash the subpoena or taking other appropriate legal action to invalidate the legal request to the University. Users in this situation are advised to seek legal counsel for assistance. Students enrolled in degree programs may seek out assistance from the ASSU Legal Counseling Office.
In circumstances in which the university is prohibited from disclosing the existence of legal process compelling disclosure of a User’s information (Gag Order), the Office of the General Counsel in consultation with the Privacy Office will determine whether the university has justifiable grounds to challenge the Gag Order.
5. Additional Procedures
When Electronic Information is accessed without User Consent, as provided for in Section 4, the following additional conditions apply:
a. Authorization
If the target of the search is a faculty member, except for Emergency Circumstances, one of the Authorizing Officials will be the President or Provost, who may delegate this authority on a case-by-case basis to a Cabinet member; otherwise, an Authorizing Official may not delegate authority for Access to a faculty member’s Electronic Information. Authorization shall be limited to the least intrusive means to obtain the Electronic Information needed, but sufficient to comply with the university’s obligations. Nothing herein is intended to limit the university’s duty to comply with the law.
b. Notification of Internal Access
The responsible authority or designee shall, at the earliest opportunity that is lawful and preserves the integrity of the investigation, notify the affected User(s) of the action(s) taken and the reasons for the action(s) taken, unless law or policy mandates confidentiality and thereby prevents notification.
c. Compliance with Law
All university Access shall be in full compliance with the law and other applicable university policies.
d. Advice of Legal Counsel
University personnel should seek advice from the Office of the General Counsel if assistance is needed regarding this policy.
e. Transparency and Access Records
In determining whether to authorize Access, the designated officials should evaluate all the relevant circumstances for Access including the possible effect of Access on university values. The officials who authorize Access without User Consent for any reason shall create a record of the authorization. The record will include, where applicable:
- a description of the Electronic Information that was Accessed;
- the justification for the Access;
- the legal process used to compel the Access;
- whether the User was notified;
- requests for information involving a Gag Order; and
- notifications of violations of the policy under C3.
The Transparency and Access Records will be submitted to the Information Security Office. The Chief Information Security Officer is responsible for keeping a de-identified summary log of instances of Access to Electronic Information. This log will be made available to the Steering Committee of the Faculty Senate annually. Consistent with university policy, the Steering Committee has the right to request further information.
6. Retention and Disposition
Electronic Information is subject to any and all applicable university records management policies.
7. Appendix A: Policies Relating to Access Without Consent
The Privacy and Access to Electronic Information policy cites circumstances under which Access to Electronic Information may occur without User Consent. University policies governing the following subject matter may trigger nonconsensual Access under the procedures defined in Section 4, Access Without User Consent:
- Non-discrimination (Administrative Guide 1.7.4; Stanford Bulletin)
- Financial management, use of funds (Administrative Guide 3.2.1) and financial irregularities (Administrative Guide 3.5.1)
- Sexual harassment, sexual assault, stalking, relationship violence and other forms of Prohibited Sexual Conduct (Administrative Guide 1.7)
- Research compliance (Research Policy Handbook; Student Handbooks; Administrative Guide 1.1.1)
- Academic misconduct (Honor Code; Fundamental Standard)
- Privacy of information and privacy breaches (Administrative Guide 1.6)
- Security of information (Administrative Guide 6.3.1)
- Conflict of commitment, conflict of interest, expenditures prohibited for a non-profit institution (Administrative Guide 1.5.1, 1.5.2, 1.5.3; Research Policy Handbook 4)
- Misuse of intellectual property (Research Policy Handbook 9; Fundamental Standard)
- Misuse or destruction of university property (Administrative Guide 1.1.1; Property Management Manual 3.5)
- Personnel policies (Administrative Guide 2)
- Violence in the workplace (Administrative Guide 2.2.4)
- Theft, extortion or blackmail (Administrative Guide 1.1.1)
- Professionalism (Administrative Guide 1.1.1; Research Policy Handbook 1.1; Stanford Guidelines of Professionalism for Students; Student Handbooks)
- Violations of the Honor Code, Fundamental Standard or Code of Conduct
- Violations relating to Computing and Network Usage (Administrative Guide 6.2.1)
8. Appendix B: Information Available to the University
- Activity Data including server logs, network connection logs, Domain Name Service (DNS) logs, email logs, phone call logs, and ID card/door access logs;
- Contents of campus network traffic that is not encrypted;
- Voicemail messages and voice calls on Stanford handsets and via Stanford’s Cisco Jabber software;
- User Content on Stanford-operated servers and in third-party operated services such as Office365, Box, Medicine Box, and Google Apps;
- User Content on SWDE/BigFix-managed laptops/desktops (not readily, but it is possible)
- CrashPlan backups that do not have a secondary password set;
- Surveillance camera video;
- GPS location and list of installed apps on MDM/AirWatch-managed mobile devices (as of this writing, the university is capable of but has explicitly disabled collection of this information);
- Stanford ID card financial transactions and library usage; and
- Employee and student administrative records.