Privacy in the Electronic Environment
Revisions: 9/13/2016, 5/24/2016, 1/29/2016, 7/25/2014 (Division title change)
NIU is committed to protecting the privacy of all students, faculty, staff, and visitors who utilize NIU’s network and resources (NIU-N). NIU provides a multifaceted environment where the university is home to some, workplace to others, and research/academic center to others. NIU is concerned with the protection and privacy of NIU data data was well as your personal data that is stored, transmitted, and processed on the NIU-N.
NIU recognizes that as faculty, staff and students create, use and store more information in electronic form using NIU-N, there is growing concern that information the user or creator considers private may be more vulnerable to invasion than information stored in more traditional media.
NIU employs a multi-layered defensive approach consisting of various technologies and processes across NIU to safeguard personally identifiable information (PII) and other sensitive data.
This policy addresses privacy issues specific to NIU community. It highlights general principles that define the privacy expectations of those in the NIU community.
While no document addressing the fluid issue of technology can be exhaustive or inflexibly dictate outcomes in all circumstances, this policy articulates current practices and provides guidance so individuals can make informed and appropriate decisions.
This policy applies to:
- Trusted partners
- Electronic Communication Act of 1986
- Fair Credit Reporting Act Gramm-Leach-Bliley Act
- Family Educational Rights and Privacy Act 1974 (FERPA)
- Health Insurance Portability and Accountability Act of 1996
- Identity Protection Act 5 ILCS 179
- Illinois Freedom of Information Act
- Illinois Unemployment Insurance Act
NIU affirms that the mutual trust and freedom of thought and expression essential to the academic mission of NIU rests on an expectation of privacy, and that the privacy of those who live, work, study, teach, and conduct research in a university setting will be respected.
Various departments within NIU accumulate information about members of its community, e.g. for purposes of payroll, employment, enrollment, and investigations. Data are also created, though not necessarily compiled or retained on a personally identifiable basis, as a necessary byproduct of technology, e.g., account charge downs at various establishments with a One Card, the borrowing of library books, and attendance tracking systems.
It is the intent of the University to protect PII stored or transmitted through NIU-N from being disclosed or released, except for legitimate University purposes. NIU employees and divisions are to follow local department processes and procedures to safeguard all data containing PII or sensitive information as defined by the Information Security Policy. Additionally, DoIT will implement industry best practices in a layered defense strategy to help protect the loss or misuse of PII and sensitive data.
NIU provides computers, email accounts, networks and telephone systems to faculty members, staff and students for the purpose of furthering the University's academic mission, fostering student life, and conducting University business. While incidental and occasional personal use of such systems, including email, voice mail, and web surfing is permissible by staff and faculty, personal communications and files transmitted over or stored on University systems are indistinguishable from business data. All protections for business data are applied to personal data across all data types.
All Division of Information Technology (DoIT) and distributed information technology personnel will adhere to NIU’s Acceptable Use Policy (AUP).
DoIT, NIU administration and leadership, and third party vendors are responsible for maintaining the confidentiality, integrity, and availability (CIA) of NIU-N. They have an important and special responsibility to recognize when they may be dealing with sensitive or private information. They can access such information without the user's consent and without obtaining higher level approval, but only when necessary to fulfill their official responsibilities, and they are expected to carry out their duties in a manner that is not unreasonably intrusive or that jeopardizes CIA service level agreements. They will be subject to disciplinary action if they misuse access to sensitive data, personal files, personnel files, email and voice mail or otherwise knowingly act in ways counter to NIU’s AUP or any other policies and applicable laws.
NIU's need for information will be first met in most situations by simply asking the author or custodian for it. The University reserves the right, consistent with this policy, to access, review and release electronic information that is transmitted over or stored in University systems or facilities. When questions arise about such access, review or release of information, NIU commits to treating electronic information no differently from non-electronic information.
In cases where issues cannot be solved at the lowest level or additional information from emails, logs, or files is needed, a senior staff member may convene a meeting (may be virtual) of the incident leadership team (Department Vice President, Chief Information Security Officer, General Counsel, Human Resources) to determine if access is warranted. Two University officials are required to concur/authorize on proceeding with undisclosed access to email, voice mail or computer accounts without the consent of the assigned user when there is a reasonable basis to believe that such action
- Is necessary to comply with legal requirements or process, or
- May yield information necessary for the investigation of a suspected violation of law or regulations, or of a suspected serious infraction of University policy (for example alleged research misconduct, plagiarism or harassment) or
- Is needed to maintain the integrity of NIU’s computing systems, or
- May yield information needed to deal with an emergency or
- With regard to faculty and staff, will yield information that is needed for NIU to proceed with ordinary business.
Except as may otherwise be dictated by legal requirements, individuals will be notified of access to, or disclosure of, the contents of their email, voice mail or computer accounts as soon as is practical. In cases where such notification might jeopardize an ongoing investigation of suspected wrongdoing it may be delayed until the conclusion of the investigation. The Office of General Counsel and the Chief Information Security Officer (CISO) are responsible for maintaining an official record of email searches performed by authorized parties.
The University has the utmost respect for the freedom of thought and expression that is at the core of NIU's academic mission. Whenever possible, therefore, the University will resolve any doubts about the need to access a University computer or other systems in favor of a faculty member's privacy interest. Computer files, email and voice mail created, stored, transmitted or received by faculty will be afforded the same level of privacy as the contents of their offices. Access to faculty records in connection with investigations carried out by any authorized NIU organization will consult with the Provost prior to searching files or materials. All items taken or copied during an investigation will be documented and a copy of that list provided to the Provost. The Provost in cooperation with the investigating organization will jointly notify the faculty member at the earliest feasible opportunity. Except as may otherwise be dictated by legal requirements, the procedures outlined in that policy will be followed with respect to a faculty member's files, computer files, email or voice mail in connection with other investigations or proceedings.
It is not NIU policy to arbitrarily access staff members' electronically stored information. As noted above, NIU's need for information will normally be met by asking an employee for it. In cases where asking is not prudent, the CISO in coordination with Human Resources (HR) and/or the division Vice President and always in consultation with General Counsel, may authorize access, review and release of the contents of staff computer files, email or voice mail transmitted over or stored on NIU-N. All items taken or copied during an investigation will be documented and secured by the CISO’s office or the requesting division's authorized official.
Students are provided email and computer accounts for personal and academic activities. While the University does not generally monitor or access the contents of a student's email, network logs, or computer accounts, it reserves the right to do so. However, access to and disclosure of a student's email messages, network logs, or the contents of his or her computer accounts are authorized only by agreement with the CISO and any one of the following: Provost, Vice President of Student Affairs and Enrollment Management or their designee and always in consultation with the Office of General Counsel.
Some individuals have multiple University affiliations (e.g., students employed by the University). When the need for access to information arises from a particular status, the provisions above for that status will be applied. In other cases, the provisions for the individual's primary status will be applied.
Members of NIU’s community who believe this policy has been violated with respect to their privacy should attempt to resolve the issue within their unit or department, if necessary with the mediation of the leadership of their representative assembly or the University Ombudsperson. Others who become aware of violations of this policy should report them to NIU’s CISO, the Office of General Counsel, the Division of Human Resources or the Division of Student Affairs and Enrollment Management. All University offices that substantiate such violations should report them to the CISO, who will monitor them for repeat instances and patterns. Those who violate this policy may be subject to disciplinary procedures up to and including dismissal. Cases of serious, deliberate criminal conduct may be referred to the NIU Department of Police and Public Safety or other external authorities that may result in civil or criminal proceedings.
It is essential that all phases of any investigation or discovery but completed as expeditiously as possible to minimize any potential negative image impact; time is of the essence especially when users are placed on administrative leave.