Computing and Information Services Back to CIS Home Page Back to Brown Home Page

Procedures for Emergency Information Access

While every effort is made to ensure the privacy of Brown University computer users, legitimate reasons will occasionally arise that require access to information held on Brown workstations, servers or peripherals. These exceptions may be required based on legal action (such as a court order), prompted by urgent University business needs, or may involve the health and/or safety of an individual or group.

Should the information owner be unable to provide the information or unavailable to grant written permission to access it, and if circumstances supercede the right to privacy, University access without the owner's written permission will be provided with the approval of an authorized University official as described in the following procedures.

1. Disclosure in Response to a Court Order or Other Compulsory Legal Process

Any request for access to electronic information at Brown in support of legal actions must be immediately forwarded to Brown's Office of General Counsel. Brown's legal representatives will guide any further actions by Brown employees.

2. Disclosure as a Result of Urgent University Business (Administrative Staff only)

Electronic information systems and network services are made available for use by administrative staff (which includes staff members, student workers, contractors, miscellaneous and temporary employees, etc.) to conduct University business. Authorized University officials retain the right to access and inspect an employee's electronic information without the consent of its owner when business needs require such access and the information owner is unavailable.

When such circumstances arise, and authorized University officers are unable to access the needed email messages or files, the officers should contact the Director of Information Security at Computing and Information Services (or designee), who will review the request and authorize the specific access as necessary.

Examples of an employee's inability to provide consent include, but are not limited to the following:

  • An employee leaves unexpectedly and ends up on a prolonged absence
  • An employee is suddenly terminated for cause
  • An employee is incapacitated for some reason and emergency access is required

The requestor should complete the form Request for Privileged Access ((will need to modify based on new procedure - should have estimated need date(s) as well), specifying which of the following procedures (A, B and/or C) is required:

A. Creating an "Out of Office" Message for an Unavailable Employee's Email Account

    1. The requestor's department head sends the request in email to IT Security, including such details as the name of the email account owner who needs the Out of Office message added to their mailbox, and the text of that message.
    2. The IT Security Director receives the request from the department head and confers with the requestor. If the request is approved, the IT Security Director creates a Remedy request, assigning the ticket to the CIS Network Systems group.
    3. The on-call CIS system administrator accesses the mailbox to create and enable the Out of Office message, then reassigns the ticket to the Help Desk (Computing Accounts and Passwords, or CAP).
    4. CAP notifies IT Security and the original requestor (and/or department head), and then closes the ticket.

B. Accessing a Third Party’s Existing Mail

    1. The requestor's department head sends the request in email to IT Security with the name of the person who requires access, the name of the staff person whose information is to be exported, and the beginning and end date of the information export request (i.e. all email messages received between October 23rd and October 30th). The request must be specific.
    2. The IT Security Director receives the email from department head and confers with the requestor. If the request is approved, the IT Security Director creates a Remedy request, assigning the ticket to the CIS Network Systems group.
    3. The on-call CIS systems administrator exports all information from the indicated date range, then contacts the requestor and department head to arrange for a transfer of the information to the requestor. If the request is for email messages, the requestor must specify which mailboxes contain the required information (Inbox, Sent Mailbox, etc.).
    4. The CIS system administrator records what was done and assigns the ticket to CAP.
    5. CAP notifies IT Security and the original requestor (and/or department head), and then closes the ticket.

C. Disclosure with Consent: Authorizing Access of Your Email by Another Individual

An employee may authorize access to his or her email account under certain circumstances. This consent is normally granted in writing to one's supervisor for a specified date range. It is the responsibility of the supervisor to report such instances to their department head.

If an employee desires to have an administrative assistant or other delegate access their email account, administrative rights can be set by the employee to allow it. Passwords are never to be shared for this purpose.

Note that this provision does not supersede any restrictions contained in other university policies, such as the prohibition of sharing passwords.

D. Disclosure with Consent: Rerouting or Forwarding Another Person’s Mail

Arrangements to one's email forwarded to another individual requires the account holder's permission. Email will generally be forwarded to one's supervisor for a specified date range. It is the responsibility of the supervisor to report such instances to their department head.

Note that no confidential information is ever to be stored in the Remedy Ticketing System. Requests must be modified to ensure confidentiality.

3. Disclosure Prompted by Health or Safety Emergencies

In the event of a health or safety emergency, the university may access or disclose the content of email according to the following procedures:

  1. Emergency requests may be initiated by any one of the following University officials.
    • the Public Safety Chief of Police or designee
    • the Director of Brown University Health Services or Psychological Services or their designee
    • the Vice President for Campus Life and Student Services or designee (for students)
    • the Provost or designee (for faculty)
    • the Vice President of Administration or Assistant Vice President of Human Resources (for staff)
  2. Requests are made to Director of IT Security, who will contact the on-call CIS system administrator, and notify the Vice President of CIS, or designee.
  3. The CIS systems administrator will access and convey the requested data to the IT Security Director.
  4. As soon as is feasible, the IT Security Director will dispatch the required information to the requestor.
  5. The IT Security Director will document the request, which should include the following information: what data was accessed and/or disclosed, and any other relevant information, such as the approximate time of the request, access, and disclosure, the name and title of the requestor, and the nature of the emergency.

Computing Policy for Brown University (home) | Interim Electronic Email Policy
Students Rights and Responsibilities: Family Educational Rights and Privacy Act (specifically, section on "Consent to Disclosure and Disclosure Without Consent")

Questions or comments to: ITPolicy@brown.edu

Interim Policy Effective Date:
Page Last Reviewed Thursday, 09-Aug-2007 09:54:38 EDT by pfalcon