This site requires JavaScript to be enabled

Procedure to Handle Requests for Records or Information

3801 views

13.0 - Updated on 2024-06-24 by James Clark (jclark)

12.0 - Updated on 2024-06-20 by James Clark (jclark)

11.0 - Updated on 2024-06-03 by Dinesh Budhathoki (dbudhathoki)

10.0 - Updated on 2023-11-06 by Karen Neuhoff (kab)

9.0 - Updated on 2023-11-06 by Deem Alothaimeen (deem)

8.0 - Updated on 2023-11-06 by Deem Alothaimeen (deem)

7.0 - Updated on 2023-11-03 by Joseph Rivera (josephrivera)

6.0 - Updated on 2023-10-27 by Dinesh Budhathoki (dbudhathoki)

5.0 - Updated on 2023-06-30 by Kendall Williams (kendallrw)

4.0 - Updated on 2021-08-05 by Rosa Miller (rosam)

3.0 - Updated on 2020-05-29 by Rosa Miller (rosam)

2.0 - Updated on 2019-08-14 by Rosa Miller (rosam)

1.0 - Authored on 2018-05-10 by Rosa Miller (rosam)

Certain privacy laws, university policies, and regulatory requirements cover the personal information of University of Chicago faculty, students, staff, and affiliates. To protect individuals and the University, all information requests must follow the procedure below.

Contents

What Information Is Covered

This procedure covers information requests related to non-public information about or actions taken by a member of the University of Chicago community where such records are under the management and control of IT Services. This procedure also covers general records when an individual is not specifically named. Examples include:

Procedure

These requests are often confidential in nature. Involved parties must disclose only the existence of the information request to those needed to follow this procedure, and then only what is needed to complete the process.

How to request records or information:

Consult the Requirements table below to make sure the request has been received from someone identified in the Authorized Requestor column for that Request Type.

Note: This procedure must be followed whether or not the requestor is an external party (e.g., law enforcement, government agency) or internal (e.g., human resource management, business unit management, or dean's office).

Contact IT Security at security@uchicago.edu with any questions about this procedure.

Requirements

Auto-Reply

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
HR or Dept. Head Yes No Auto-reply text should be written in the third person. For example, "This mailbox is no longer receiving emails on behalf of Joe Carter. Please send your email to this email address." windows-server
Special Requirements/Exceptions:

When possible, the department should work with the employee to set up an auto-reply before termination. If the employee has alumni or staff affiliation special  arrangements may be necessary such as:

1. Notify the employee that auto-reply is in place 

2. Get the employee to agree to forward any business-related emails that are forwarded to a personal account back to the department 

3. Special approval is needed from Legal counsel to take other actions

Email forwarding to Internal Email Account

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
HR or Dept. Head n/a windows-server
Special Requirements/Exceptions:

This is prohibited. Sometimes when there's a staff departure, the requestor will ask for the employee's email to be forwarded to another UChicago email address, but request mailbox access instead (see below) and an out-of-office reply be added to the employee's email account.

Email Archive or Active Inbox

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
HR or Dept. Head Yes Access duration for specified individuals (45 days because after that the mailbox is automatically deleted). windows-server
Special Requirements/Exceptions:

Prior to getting access the requestor should receive terms of access (time and content restrictions) from Legal.

Email 'Send as'

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
n/a windows-server
Special Requirements/Exceptions:

"Send as" impersonation in which one user impersonates another individual when sending an email (the recipient has no way to determine that the perceived sender is not the actual sender) is not allowed per a policy from the Office of Legal Counsel. See https://its.uchicago.edu/procedures-manage-user-permissions-university-email/ for further details.

Related requests are allowed with the approval of the perceived sender:

  • Impersonation uses a distribution email account (e.g. Communications staffer sending as a VIP using Politemail)
  • "Send on behalf as" (not "Send as") IS allowed with the approval of the 'on behalf of' party because it is not impersonation.

File Share or Related File Store

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
HR or Dept. Head Yes Relevant filepath(s) Storage

 Special Requirements/Exceptions:

Available to specified individuals, with any caveats by Legal Counsel. Note: Access to many of the systems, such as Google Drive, is automatically removed when the resource is deleted at the end of the Closure process for the account.

Box, Google Drive, OneDrive

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
HR or Dept. Head Yes Name of Box shared folder and/or account

For Box: storage

For Google Drive: IAM

For OneDrive: windows-server

 Special Requirements/Exceptions:

Box and OneDrive have a 180-day retention policy. The data is not permanently deleted on/after Closure Day 45. However, access to the data is terminated and will not be granted/approved to the closed individual. Per the Office of Legal Counsel, this should be made clear to the requestor. Requests received after Closure Day 45 will reinforce the closure process, and requests will be denied. IT Security will consult Legal with any escalated requests. Note: Access to other systems, such as Google Drive, is automatically removed when the resource is deleted at the end of the Closure process for the account.

Workstation Files

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
HR or Dept. Head Yes Detailed reason for request, Statement of requestor's relationship (requires supervisory role), Workstation IP address, Physical location (building, room), Timeframe for access

desktop-support

 Special Requirements/Exceptions:

 n/a

Phone Records

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
Self, or supervisory role overseeing the user for whom records are requested Yes Detailed reason for request, Statement of requestor's relationship (for self or requires supervisory role), Exact time frames of interest

voice-services

 Special Requirements/Exceptions:

 All phone requests should go to Legal, even if requesting for yourself.

Data Archive for Deceased Student

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
Dean Yes No CNetID (and ChicagoID if there is any question about the identity)

multiple

 Special Requirements/Exceptions:

 IT Security will handle processing per standard procedure.

Canvas or LMS usage by students

Authorized Requestor ServiceNow Request IT Security Processing Legal Approval Information Required from Requestor ServiceNow Assignment Group
Dean Yes No  CNetID

faculty-support

 Special Requirements/Exceptions:

 n/a

Last modified 2024-06-24 11:38:20