Procedures for Emergency Account and Information Access

Brown offers electronic services to its computer users to perform work for the University in support of its mission.

While efforts are made to ensure reasonable expectations of privacy for Brown University computer users, legitimate reasons will arise that require access to information held on Brown workstations, servers or peripherals. These exceptions may be required based on legal action (such as a court order), may involve the health and/or safety of an individual or group, or be prompted by urgent University business needs.

Should an individual user be unavailable or unable to provide permission to access it, and if circumstances supersede the right to privacy, University access without the owner's permission will be provided with the approval of an authorized University official as described in the following procedures.

1. Emergency Information Access Due to Urgent University Business

When business needs require access to employee electronic information – whether stored in a personal mailbox, personal network space, on a personal hard drive, and/or backups of these – and the information owner is unavailable, an authorized University officer (see section 2, item #1 below) should email the Director of Information Security at Computing and Information Services (or designee) at ITSecurity@brown.edu, who will review the request and authorize the specific access as necessary.

Examples of an employee's inability to provide consent include, but are not limited to the following:

• Administrative leave
• An employee leaves unexpectedly and ends up on a prolonged absence
• An employee is suddenly terminated for cause
• An employee is incapacitated for some reason and emergency access is required

Procedure for Accessing an Employee's Existing Mail or Files Stored on University Servers

1. A request is sent in email to ITSecurity@brown.edu with the name of the person who requires access, the name of the employee whose existing information is to be exported, and specifics as to what information is needed. Email approval from an authorized University officer is required, as well as approval from the department head. Authorized University officers follow:
• the Public Safety Chief of Police
• the Director of Brown University Health Services or Psychological Services
• the Vice President for Campus Life and Student Services (for students)
• the Provost (for faculty)
• the Vice President of Administration or Assistant Vice President of Human Resources (for staff)
2. a) The IT Security Director receives the approved request in email, verifies authorization from the appropriate University officer, and talks directly to the appropriate technical administrator (who will provide access to the information) and will also create a Remedy request*, assigning the ticket to the administrator.
   b) If the information is not accessible by CIS and is stored on a local server or personal hard drive, the IT Security Director will coordinate efforts with local IT support personnel to obtain the requested information and convey it to the authorized requestor.
3. The CIS technical administrator exports or provides access to requested information, then works through the IT Security Director to arrange for a transfer of the information to the requestor. If the request is for email messages, the requestor must specify which mailboxes contain the required information (Inbox, Sent Mailbox, etc.).
4. The CIS technical administrator records what was done* and then closes the ticket.
5. The IT Security Director will follow instructions from Authorized officers regarding the preservation and archival of requested data, and will document the request, disclosure details, the name and title of the requestor, and the reason for the emergency request.

* No confidential information is ever to be stored in the Remedy Ticketing System. Requests must be modified to ensure confidentiality.

2. Emergency Information Access in Response to a Court Order or Other Compulsory Legal Process

Any request for access to electronic information at Brown in support of legal actions must be immediately forwarded to Brown's Office of General Counsel (863-9900). Brown's legal representatives will guide any further actions by Brown employees.

3. Account Access to an Unavailable Employee's Email

When an employee is unavailable to receive and respond to email and urgent business needs require continuity of communication, the employee's supervisor may request that an "Out of Office" message be placed on the employee's email account.

Procedure for Creating an "Out of Office" Message for an Unavailable Employee's Email Account

1. The requestor's department head sends the request in email to ITSecurity@brown.edu, including such details as the name of the email account owner who needs the Out of Office message added to their mailbox, and the text of that message.
2. For terminated employees, it is also important to know how long the Out of Office message should be in place (usually two weeks to 30 days).
3. The IT Security Director receives the approved request and confers with the requestor. If the request is approved, the IT Security Director works with Computing Accounts and Passwords (CAP), and CAP will create a Remedy request, assigning the ticket to the CIS Network Systems group.
4. The on-call CIS technical administrator confidentially accesses the mailbox for the sole purpose of creating and enabling the Out of Office message, then reassigns the ticket to CAP.
5. CAP notifies IT Security and the original requestor, schedules the removal of the Out of Office message, and then closes the ticket.

Computing Policy for Brown University (home) | Electronic Email Policy | Computing Privileges
Computing Account Management Policy | Form to Request Privileged Access
Students Rights and Responsibilities: Family Educational Rights and Privacy Act (specifically, section on "Consent to Disclosure and Disclosure Without Consent")

Questions or comments to: ITPolicy@brown.edu