Revisions: 1/29/2016, 7/25/2014 (Division title change)
NIU is committed to protecting the privacy of all students, faculty, staff, and visitors who utilize NIU’s network and resources (NIU-N).
As faculty, students and staff create, use and store information in electronic form using NIU-N, there is growing concern that information the user or creator considers private may be more vulnerable to invasion than information stored in more traditional media. NIU is concerned with the protection and privacy of NIU data as well as personal data that is stored, transmitted, and processed on the NIU-N.
NIU employs a multi-layered defensive approach consisting of various technologies and processes to safeguard personally identifiable information (PII) and other sensitive data.
This policy is intended to highlight general principles of privacy in the NIU community. While no document addressing the fluid issue of technology can be exhaustive or inflexibly dictate outcomes in all circumstances, this policy articulates current practices and provide guidance so individuals can make informed and appropriate decisions.
ScopeThis policy applies to all:
- Trusted Partners
NIU affirms that the mutual trust and freedom of thought and expression essential to the academic mission rest on an expectation of privacy. The privacy of those who live, work, study, teach, and conduct research at NIU will be respected.
NIU departments accumulate information about members of its community, e.g., for purposes of payroll, employment, enrollment, and investigations. Data are also created, though not necessarily compiled or retained on a personally identifiable basis, as a necessary byproduct of the use of technology, e.g., the ability to do account charge downs at various establishments with OneCard, the borrowing of library books, and attendance tracking systems.
It is the intent of the University to protect PII stored or transmitted through NIU-N from being disclosed or released except for legitimate University purposes. NIU employees and divisions are to follow local department processes and procedures to safeguard all data containing PII or sensitive information as defined by the Information Security Policy. Additionally, DoIT will implement industry best practices in a layered defense strategy to protect against the loss or misuse of PII and sensitive data.
NIU provides computers, email accounts, networks and telephone systems to students, faculty and staff for the purpose of furthering the University's academic mission, fostering student life, and conducting University business. Incidental and occasional personal use of such systems, including email, voice mail, and web surfing, is permissible by staff and faculty. Personal communications and files transmitted over or stored on University systems are indistinguishable from business data, therefore all protections for business data are also applied to personal data as logging in is uniformly applied across all data types.
All distributed IT and DoIT staff will adhere to the Acceptable Use Policy.
The Division of Information Technology, NIU administration, third-party vendors and NIU leadership are responsible for maintaining the confidentiality, integrity, and availability (CIA) of NIU-N. It is an important and special responsibility to recognize when they may be dealing with sensitive or private information. They may access such information without the user's consent and without obtaining higher level approval, but only when necessary to fulfill their official responsibilities. They are expected to carry out their duties in a manner that is not unreasonably intrusive or that jeopardizes CIA service level agreements. They will be subject to disciplinary action if they misuse their access to sensitive data, personal files, personnel files, email and voice mail or otherwise knowingly act in ways counter to the Acceptable Use Policy or any other policies and applicable laws.
In most situations, NIU's need for information will be met first iby simply asking the author or custodian for it. The University reserves the right, consistent with this policy, to access, review and release electronic information that is transmitted over or stored in University systems or facilities. When questions arise about such access, review or release of information, NIU commits to treating electronic information no differently from non-electronic information.
In cases where issues cannot be solved at the lowest level or additional information from emails, logs, or files is needed, a senior staff member may convene a meeting (may be virtual) of the incident leadership team (the department's Vice President, Chief Information Security Officer, General Counsel, and Human Resources) to determine if access is warranted. In those cases, two University officials are required to concur/authorize on proceeding with undisclosed access to email, voice mail or computer accounts without the consent of the assigned user when there is a reasonable basis to believe that such action
- Is necessary to comply with legal requirements or process, or
- May yield information necessary for the investigation of a suspected violation of law or regulations, or of a suspected serious infraction of University policy (for example, alleged research misconduct, plagiarism or harassment) or
- Is needed to maintain the integrity of NIU’s computing systems, or
- May yield information needed to deal with an emergency or
- With regard to faculty and staff, will yield information that is needed for NIU to proceed with ordinary business.
Except as may otherwise be dictated by legal requirements, individuals will be notified of access to, or disclosure of, the contents of their email, voice mail or computer accounts as soon as practical. In cases where such notification might jeopardize an ongoing investigation of suspected wrongdoing, it may be delayed until the conclusion of the investigation. The Office of General Counsel and Chief Information Security Officer (CISO) are responsible for maintaining an official record of email searches performed by authorized parties.
FacultyThe University has the utmost respect for the freedom of thought and expression that are at the core of NIU's academic mission. Whenever possible, the University will resolve any doubts about the need to access a University computer or other systems in favor of a faculty member's privacy interest. Computer files, email and voice mail created, stored, transmitted or received by faculty will be afforded the same level of privacy as the contents of their offices. Any authorized NIU organization will consult with the Provost prior to searching files or materials regarding access to faculty records in connection with investigations. All items taken or copied during an investigation will be documented and a copy of that list provided to the Provost. The Provost, in cooperation with the investigating organization, will jointly notify the faculty member at the earliest feasible opportunity. Except as may be dictated otherwise by legal requirements, these procedures will be followed with respect to a faculty member's files, computer files, email and voice mail in connection with investigations or proceedings.
As noted above, it is not NIU policy to arbitrarily access staff members' electronically stored information. NIU's need for information will normally be met by asking an employee for it. In cases where asking isn’t prudent, the CISO in coordination with Human Resources and/or the division Vice President, and always in consultation with General Counsel, may authorize access, review and release of the contents of staff computer files, email and voice mail transmitted over or stored on NIU-N. All items taken or copied during an investigation will be documented and secured by the CISO’s office or the requesting division's authorized official.
Students are provided email and computer accounts for personal and academic activities. While the University does not generally monitor or access the contents of a student's email, network logs, or computer accounts, it reserves the right to do so. However, access to and disclosure of a student's email messages, network logs, or the contents of his or her computer accounts may only be authorized by agreement with the CISO and any one of the following: Provost, VP Student Affairs or their designee and always in consultation with the Office of General Counsel.
Some individuals have multiple University affiliations (e.g. students employed by the University). When the need for access to information arises from a particular status, the provisions for that status will be applied. In other cases, the provisions for the individual's primary status will be applied.
Members of NIU’s community who believe that this policy has been violated with respect to their privacy should attempt initially to resolve the issue within their unit or department, if necessary with the mediation of the leadership of their representative assembly or the University Ombudsperson. Others who become aware of violations of this policy should report them to the CISO, Office of General Counsel, Human Resources or the Office of Student Affairs. All University offices that substantiate such violations should report them to the CISO, who will monitor them for repeat instances and patterns. Those who violate this policy may be subject to disciplinary procedures up to and including dismissal. Cases of serious, deliberate criminal conduct may be referred to the Department of Police and Public Safety or other external authorities that may result in civil or criminal proceedings.
It is essential that all phases of any investigation or discovery be completed as expeditiously as possible to minimize any potential negative image impact; time is of the essence especially when users are placed on administrative leave.
- Electronic Communication Act of 1986
- Fair Credit Reporting Act Gramm-Leach-Bliley Act
- Family Educational Rights and Privacy Act 1974 (FERPA)
- Health Insurance Portability and Accountability Act of 1996
- Identity Protection Act 5 ILCS 179
- Illinois Freedom of Information Act
- Illinois Unemployment Insurance Act