Revisions: 5/24/2016, 1/29/2016, 7/25/2014 (Division title change)
Northern Illinois University (NIU) is committed to protecting the privacy of all students, faculty, staff, and visitors who use NIU’s network and resources (NIU-N). NIU provides a multifaceted environment where the university is home to some, workplace to others, and research/academic center to others. NIU is concerned with the protection and privacy of NIU data as well as your personal data that is stored, transmitted, and processed on the NIU-N.
NIU recognizes that as students, faculty, and staff create, use and store more information in electronic form using NIU-N, there is growing concern that information the user or creator considers private may be more vulnerable to invasion than information stored in more traditional media.
NIU employs a multi-layered defense using various technologies and processes across NIU to safeguard personally identifiable information (PII) and other sensitive data.
This policy addresses privacy issues specific to the NIU community. It is intended to highlight general principles that define the expectations of privacy of those in the NIU community.
While no document addressing the fluid issue of technology can be exhaustive or inflexibly dictate outcomes in all circumstances, this policy articulates current practices and provides guidance so individuals can make informed and appropriate decisions.
This policy applies to all:
- Trusted Partners
- Electronic Communication Act of 1986
- Fair Credit Reporting Act Gramm-Leach-Bliley Act
- Family Educational Rights and Privacy Act 1974 (FERPA)
- Health Insurance Portability and Accountability Act of 1996
- Identity Protection Act 5 ILCS 179
- Illinois Freedom of Information Act
- Illinois Unemployment Insurance Act
NIU affirms that the mutual trust and freedom of thought and expression essential to the academic mission of NIU rests on an expectation of privacy, and that the privacy of those who live, work, study, teach, and conduct research in a university setting will be respected.
Various departments within NIU accumulate information about members of its community, e.g., for purposes of payroll, employment, enrollment, and investigations. Data are also created, though not necessarily compiled or retained on a personally identifiable basis, as a necessary byproduct of the use of technology, e.g., the ability to do account charge downs at various establishments with One Card, the borrowing of library books, and attendance tracking systems.
It is the intent of the University to protect PII stored on or transmitted through NIU-N from being disclosed or released except for legitimate University purposes. NIU employees and divisions are to follow the local department processes and procedures to safeguard all data containing PII or sensitive information as defined by the Information Security Policy. Additionally, the Division of Information Technology (DoIT) will implement industry best practices in a layered defense strategy to protect against the loss or misuse of PII and sensitive data.
NIU provides computers, email accounts, networks and telephone systems to students, faculty and staff for the purpose of furthering the University's academic mission, fostering student life, and conducting University business. While incidental and occasional personal use of such systems, including email, voice mail, and web surfing is permissible by faculty and staff, personal communications and files transmitted over or stored on University systems are indistinguishable from business data. All protections for business data are applied to personal data as is logging is uniformly applied across all data types.
All distributed information technology personnel and Division of Information Technology (DoIT) will adhere to NIU’s Acceptable Use Policy (AUP).
DoIT, NIU administration, 3rd party vendors, & NIU leadership are responsible for maintaining the confidentiality, integrity, and availability (CIA) of NIU-N. They have an important and special responsibility to recognize when they may be dealing with sensitive or private information. They may access such information without the user's consent and without obtaining higher level approval, but only when necessary to fulfill their official responsibilities, and they are expected to carry out their duties in a manner that is not unreasonably intrusive or that jeopardizes CIA service level agreements. They will be subject to disciplinary action if they misuse their access to sensitive data, personal files, personnel files, email and voice mail or otherwise knowingly act in ways counter to NIU’s AUP or any other policies and applicable laws.
NIU's need for information will be met in most situations by first simply asking the author or custodian for it. The University reserves the right, consistent with this policy, to access, review and release electronic information that is transmitted over or stored in University systems or facilities. When questions arise about such access, review or release of information, NIU commits to treating electronic information no differently from non-electronic information.
In cases where issues cannot be solved at the lowest level or additional information from emails, logs, or files is needed, a senior staff member may convene a meeting (may be virtual) of the incident leadership team (Division Vice President, Chief Information Security Officer (CISO), General Counsel, Human Resources) to determine if access is warranted. In those cases, two University officials are required to concur/authorize on proceeding with undisclosed access to email, voice mail or computer accounts without the consent of the assigned user when there is a reasonable basis to believe that such action:
- Is necessary to comply with legal requirements or process; or
- May yield information necessary for the investigation of a suspected violation of law or regulations, or of a suspected serious infraction of University policy (for example, alleged research misconduct, plagiarism or harassment);
- Is needed to maintain the integrity of NIU’s computing systems; or
- May yield information needed to deal with an emergency; or
- With regard to faculty and staff, will yield information that is needed for NIU to proceed with ordinary business.
Except as otherwise dictated by legal requirements, individuals will be notified of access to or disclosure of the contents of their email, voice mail or their computer accounts as soon as is practical. In cases where such notification might jeopardize an ongoing investigation of suspected wrongdoing it may be delayed until the conclusion of the investigation. The Office of General Counsel and the CISO is responsible for maintaining an official record of email searches performed by authorized parties.
Students are provided email and computer accounts for personal and academic activities. While the University does not generally monitor or access the contents of a student's email, network logs, or computer accounts, it reserves the right to do so. Access to and disclosure of a student's email messages, network logs, or the contents of his or her computer accounts can be authorized only by agreement with the CISO and any one of the following: Provost, Vice President of Student Affairs and Enrollment Management or their designee and always in consultation with the Office of General Counsel.
The University has the utmost respect for the freedom of thought and expression that are at the core of NIU's academic mission. Whenever possible, the University will resolve any doubts about the need to access a University computer or other systems in favor of a faculty member's privacy interest. Computer files, email and voice mail created, stored, transmitted or received by faculty will be afforded the same level of privacy as the contents of their offices. Access to faculty records in connection with investigations carried out by any authorized NIU organization will consult with the Provost prior to searching files or materials. All items taken or copied during an investigation will be documented and a copy of that list provided to the Provost. The Provost in cooperation with the investigating organization will jointly notify the faculty member at the earliest feasible opportunity. Except as otherwise dictated by legal requirements, the procedures outlined in that policy will be followed with respect to a faculty member's files, computer files, email or voice mail in connection with other investigations or proceedings.
As noted above, it is not NIU policy to arbitrarily access staff members' electronically stored information. As noted above, NIU's need for information will normally be met by first asking an employee for it. In cases where asking isn’t prudent, the CISO in coordination with HR and/or the division Vice President and always in consultation with General Counsel may authorize access, review and release of the contents of staff computer files, email or voice mail transmitted over or stored on NIU-N. All items taken or copied during an investigation will be documented and secured by the CISO or the requesting division's authorized official.
Some individuals have multiple University affiliations (e.g. students employed by the University). When the need for access to information arises from a particular status, the provisions above for that status will be applied. In other cases, the provisions for the individual's primary status will be applied.
Members of NIU’s community who believe that this policy has been violated with respect to their privacy should initially attempt to resolve the issue within their unit or department, if necessary with the mediation of the leadership of their representative assembly or the University Ombudsman. Others who become aware of violations of this policy should report them to the CISO, Office of General Counsel, HR or the Office of Student Affairs and Enrollment Management. All University offices that substantiate such violations should report them to the CISO, who will monitor them for repeat instances and patterns. Those who violate this policy may be subject to disciplinary procedures up to and including dismissal. Cases of serious, deliberate criminal conduct may be referred to the NIU Department of Police and Public Safety or other external authorities that may result in civil or criminal proceedings.
It is essential that all phases of any investigation or discovery be completed as expeditiously as possible to minimize any potential negative image impact; time is of the essence especially when users are placed on administrative leave.