Information about the University of Chicago faculty, staff, students, or other affiliates is covered by certain privacy laws, University policies, and regulatory requirements. All such requests must follow this procedure to ensure the proper protection of both those individuals and the University.
What Information Is Covered
This procedure covers information requests related to non-public information about or actions taken by any member of the University of Chicago community where such records are under the management and control of IT Services. This also covers general records when an individual is not specifically named. Examples include:
- Non-public information about an individual
- Phone records
- Network activity
- Computer activity
- Information on actions and locations
- Network logs
- Computer logs or login activity
- Access information
- Information from a camera or other recording device
Procedure
These requests are often confidential in nature. Involved parties must disclose only the existence of the information request to those needed to follow this procedure, and then only what is needed to complete the process.
How to request records or information:
- Requests can be sent via ServiceNow or may be forwarded to security@uchicago.edu or call 773.702.2378.
- All requests must include:
- Summary stating the reason for the request.
- Detailed description of what is being requested
- Requestor's name, CNetID, department, title, and contact information.
- IT Security will review and obtain clarification of the request, if needed, and forward on to the Office of Legal Counsel, where applicable.
- Legal Counsel will evaluate the request and approve, deny, or ask for additional information. They may go through IT Security or make the request directly to the requester for additional information.
Consult the Requirements table below to make sure the request has been received from someone identified in the Who Can Request column for that Request Type.
Note: This procedure must be followed whether or not the requester is an external party (e.g., law enforcement, government agency) or internal (e.g., human resource management, business unit management, or dean's office).
Contact IT Security at security@uchicago.edu with any questions about this procedure.
Requirements
|
Request Type |
Who Can Request? |
Requires ServiceNow Request |
Requires IT Security Processing |
Requires Legal Approval |
Information Required from Requester |
Special Requirements/Exceptions |
Final ServiceNow Assignment Group |
|---|---|---|---|---|---|---|---|
|
Auto-Reply |
HR or Dept. Head |
YES |
YES |
NO |
Text for the auto-reply should be written in third person, i.e. cannot pretend to be written by an ex-employee (e.g. "I no longer work for ..."). |
When possible, the department should work with the employee to set up an auto-reply before termination. If th employee has alumni or staff affiliation special arrangements may be necessary such as:
|
windows-server |
| Email forwarding to internal email account | HR or Dept. Head | n/a | n/a | n/a | This is prohibited. Sometimes when there's a staff departure, the requester will ask for the employee's email to be forwarded to another UChicago email address, but request mailbox access instead (see below) and an out-of-office reply be added to the employee's email account. | windows-server | |
|
HR or Dept. Head |
YES |
YES |
YES |
Access duration for specified individual (45 days because after that the mailbox is automatically deleted). |
Prior to getting access the requester should receive terms of access (time and content restrictions) provided by Legal. |
windows-server |
|
| Email 'Send as' | n/a | n/a | n/a | n/a | n/a |
"Send as" impersonation in which one user impersonates another individual when sending an email (the recipient has no way to determine that the perceived sender is not the actual sender) is not allowed per a policy from the Office of Legal Counsel. See https://its.uchicago.edu/procedures-manage-user-permissions-university-email/ for further details. Related requests are allowed with the approval of the perceived sender:
|
For O365 Mailbox: windows-server |
|
File Share or Related File Store |
HR or Dept. Head |
YES |
YES |
YES |
UNC or other relevant filepath(s) |
Available to specified individuals, with any caveats by Legal Counsel. Note: Access to many of the systems, such Google drive, is automatically removed when the resource is deleted at the end of the Closure process for the account. |
storage |
|
Box Google Drive OneDrive |
HR or Dept. Head | YES | YES | YES |
Name of Box shared folder and/or account |
Box and OneDrive have a 180-day retention policy. The data is not permanently deleted on/after Closure Day 45. However, access to the data is terminated and will not be granted/approved to the closed individual. Per the Office of Legal Counsel, this should be made clear to the requester. Requests received after Closure Day 45 will reinforce the closure process and requests will be denied. IT Security will consult Legal with any escalated requests. Note: Access to other systems, such as Google Drive, is automatically removed when the resource is deleted at the end of the Closure process for the account. |
For Box: storage For Google Drive: IAM For OneDrive: windows-server |
|
Workstation Files |
HR or Dept. Head |
YES |
YES |
YES |
|
|
desktop-support |
|
Phone Records |
self, or supervisory role overseeing user for whom records are requested |
YES |
YES |
YES |
|
All phone requests should go to Legal, even if requesting for yourself. |
voice-services |
|
Data Archive for Deceased Student |
Dean |
YES |
YES |
NO |
CNetID (and ChicagoID if there is any question about the identity) |
IT Security will handle processing per standard procedure. |
multiple |
| Canvas or LMS usage by students | Dean or academic discipline staff | YES | YES | YES |
|
Instructors have basic student usage data available - this is a request for more direct system-based logs. | faculty-support |