Electronic Content Stewardship

Stewardship of Electronic Content Policy

(Note: Highlighted text reflects changes from the latest revision)
 

1.0 Policy Statement

The Wellesley College Stewardship of Electronic Content Policy establishes the exceptions to electronic content privacy at Wellesley College, including the retention of and access to electronic content following the departure of an employee. 

2.0 Overview & Purpose

Wellesley College strives to protect the privacy of electronic content and any sensitive data contained therein stored or accessed on its information technology resources.  As the custodians of electronic content, Library & Technology Services (LTS) will not inappropriately access or disclose information contained in an individual’s electronic content.  However, there are certain exceptional instances in which it is necessary for the College to access and/or disclose the electronic content of members of the Wellesley College Community, and LTS staff will only do so under direction of the appropriate electronic content stewards at the College.  This policy outlines the exceptions to electronic content privacy and establishes procedures for accessing electronic content in these cases.  It also addresses the retention of accounts for accessing electronic content following separations from the College.  For a detailed overview, see the account terminations table.

3.0 Scope

This policy applies to all members of the Wellesley College community that have access to electronic content (as defined below) through the College’s information technology resources, including all faculty, staff, students, alumnae, contract and temporary workers, consultants, and any other individual who access or store electronic content.

3.1 Definitions

Data Custodian
A data custodian is responsible for maintaining the technology infrastructure that supports access to the data, safe custody, transport and storage of the data and provide technical support for its use.  A data custodian is also responsible for implementation of the business rules established by the electronic content steward.  

Electronic Content Steward
An electronic content steward is responsible for authorizing access to electronic accounts including granting special access for new accounts, revoking access in the case of violations of College policy and granting access to existing accounts to third parties in the case of the exceptions outlined below.

Electronic Content
For the purposes of this document, electronic content is defined as all content that is stored under the ownership of a community member in central servers in the College network, College telephony systems, College negotiated outsourced services, and all content stored in the College provided desktops and laptops of faculty and staff (e.g,. files stored in NTM fileserver, webserver, Sakai, Google Apps for Education, and voicemail).

4.0 Policy

4.1 Responsibilities

Each constituency group at Wellesley College is assigned an electronic content steward for managing access to those accounts in accordance with this policy:

Type of Account Electronic Content Steward
Faculty Provost
Staff Vice President for Finance & Administration
Student (matriculated) Dean of Students
Alumnae Executive Director of the Alumnae Association


Under special circumstances, the Provost, Vice President for Finance and Administration, Dean of Students and Executive Director of the Alumnae Association may make exceptions to this policy for faculty, staff, students and alumnae respectively. LTS staff serve as the data custodians of all electronic content in employee and student accounts.  The Chief Information Officer (CIO) has overall responsibility for this policy. 

4.2 Exceptions to electronic content privacy

Electronic content at Wellesley College is considered private and will not be accessed or disclosed by the College, except in the following circumstances:

  • In response to a court order or subpoena;
  • For investigations involving human resource matters;
  • If there is reasonable suspicion of violation of any Wellesley College policy, including Acceptable Use, the Written Information Security Program or Copyright Policy, or of any federal or state laws or regulations;
  • In health and safety emergencies;
  • When the electronic content owner or account subscriber is unavailable for an extended period, and the information is necessary to conduct college business; OR
  • The content owner gives explicit permission to an LTS staff member to access specific content to help resolve problems.

In addition to these exceptions of electronic content privacy, Wellesley College reserves the right to access an individual’s electronic content following his or her termination of employment with the College.  See section 4.7 for more information on accessing electronic content of individuals no longer employed with Wellesley College.

4.3 Court order or other legal request for electronic content

The College may be under a legal obligation to respond to subpoenas by producing information stored on Wellesley's information technology resources.  Any court order or other legal request for submission of electronic content files or mail records will be directed to the Office of the Vice President for Finance and Administration.  Access to or disclosure of electronic content in response to this kind of request will only be carried out under the direction of the Vice President or his/her designee.

Actual content produced to the requesting party in response to a subpoena will vary depending on the specific circumstances, as a third-party subpoena typically does not require the production of all a specific user's content. After receiving a subpoena, the CIO will identify one or more LTS staff members to assist in collecting the data as required by the subpoena and in consultation with the attorneys and the appropriate senior staff member.  The College may choose to collect a snapshot of all of a user's content, such as email, computer hard drive, etc., for the purpose of evaluating what will be produced. The staff involved will be required to treat each of these cases with strict confidentiality.

4.4 Electronic content requests for possible legal or policy violations or Human Resources matters

When access to electronic content is requested for potential legal or policy violations or investigation of Human Resources matters, permission must first be obtained from the appropriate electronic content steward or designee.

Examples of these matters may include when complaints such as sexual or other types of harassment or unfair treatment have been filed and HR has determined in consultation with legal counsel that the College needs to preserve the electronic content of those involved for further investigation.  Once permission is obtained, LTS staff will provide access to the requesting party under the direction of the CIO in accordance with the details of the request approved by the electronic content steward.  The College’s legal counsel will be consulted as appropriate.

4.5 Electronic content requests during health and safety emergencies

In the event of a health and safety emergency, it may be necessary to access or disclose electronic content to local, state or federal emergency responders, or to officials involved with emergency response at the College.  In these situations, LTS staff will only access or disclose electronic content under direction of the CIO and in response to a request from the Chief of the Wellesley College Campus Police, the Director of Health Services, the Director of Counseling Services, the Dean of Students or their designees.

As soon as is practicable, the CIO will notify the appropriate electronic content steward about what data was accessed and from whom, and any other relevant details related to the request.

4.6 Accessing electronic mail accounts when the subscriber is unavailable

There are many situations in which employees may take an extended leave of absence.  In planned absences, employees are expected to place an out-of-office reply on their electronic mail account directing people who to contact in their absence.  In some cases where access to their electronic mail may be necessary, the employee may choose to forward their incoming mail to another employee.  For unplanned extended absences, it may be necessary for the College to access incoming mail for continuity of business operations.  In these rare instances, a request may be made by the appropriate electronic content steward to the CIO, who will arrange for incoming mail to be forwarded to the employee’s supervisor.  

4.7 Retention of and access to electronic content following separation from the College


Procedures for employees

In the case of amicable separations, the employee will be advised to create  an out-of-office electronic mail response two weeks prior to the last date of employment to redirect incoming mail to his or her supervisor.  The employee’s access to all accounts and electronic content will be terminated within 24 hours of their termination date.  At the time of termination, any electronic content, including incoming or existing electronic mail and voicemail messages, will be made available to the prior employee’s academic chair or department head, or his or her designee, upon request and approval by the Assistant Vice President for Human Resources and the CIO.  After two weeks following separation, voicemail messages will be deleted. After 6 months following separation, all other electronic accounts and associated data will be deleted.  The employee will be made aware of these procedures so that he or she can make the necessary preparations.

Special procedures for faculty

Official dates for faculty appointment terminations are either June 30 (Spring terminations) or Dec 31 (Fall terminations) of each year. However, faculty require access to their electronic content and access to other College technical services beyond these dates so that they can post grades and access SEQs. It is also the case that the students need to have an option to contact the faculty for a short period after the grades have been posted. Therefore the policy for faculty are as follows:

  • The faculty member will have exactly the same access that they had as an employee of the College for one additional month after the official termination date (until Jan 31 for Fall termination, or July 31 for Spring termination).
  • The faculty member will have access to Google Apps for Education and Sakai for an additional month - until Feb 28 or August 31.
  • On Feb 28 or August 31, faculty member will lose access to Google Apps for Education and Sakai and can request to forward emails to a non-Wellesley account for the next three months.

The faculty member will be made aware of these procedures prior to their departure date so that he or she can make the necessary preparations.

Procedures for retired faculty, staff & President’s Club

The only exception to the above rule regarding retention of access to electronic content occurs for retired and current faculty and staff that are considered part of the “President’s Club,” with greater than 25 years of service at the College.  These employees retain access to their domain accounts and electronic content indefinitely, except in the case of non-amicable terminations (see below).

Procedures for non-amicable terminations

When a faculty or staff member’s employment with the College is terminated and the separation is non-amicable, all access to computer accounts and electronic content will be terminated immediately.  This practice is true regardless of the employee’s length of service with the College.  When an employee is terminated non-amicably, they abdicate any prior privileges for lifetime access to Google Apps, with the exception of alumnae working at the College (see below).  At the time of separation, any electronic content, including incoming or existing electronic mail or voicemail, will be made available to the terminated employee’s academic chair or department head, or his or her designee, upon request and approval by the Assistant Vice President for Human Resources and the CIO.  After 6 months following separation, all accounts and associated data will be deleted.

Procedures for deceased employees and students

If a current employee or student becomes deceased, his or her beneficiary or estate has the right to request access to his or her electronic content for a period of 2 years following the death, for the purpose of gathering personal materials of the deceased for estate administration.  These requests will be handled on a case-by-case basis in consultation with the College’s attorney.  Care will be exercised to ensure the privacy of any sensitive College data contained in the electronic content of the deceased employee.  After 2 years, all electronic content of the deceased person will be deleted.

Procedures for students and alumnae

Students retain access to their domain accounts for six months following graduation in order to allow access to their transcripts.  Beginning with the class of 2012, alumnae will retain access to their content in Google Apps for Education indefinitely.  However, if an alumna is working for the College and a non-amicable separation occurs, access to the existing email address and all associated content and services will be terminated immediately. LTS will create a new email address for the alumna to be used for personal use only.  In consultation with Human Resources, LTS will add an out-of-office notification to the original email address that alerts senders that the alumna is no longer working for the College and refers them to this new email address.

5.0 Enforcement

In the case of any violations of existing College policy or applicable state or federal law, the College reserves the right to use its discretion in addressing the violation, including terminating access to electronic content and/or sharing access to the electronic content with others.

6.0 Policies Cross-Referenced
 

7.0 Effective Date

This policy was approved by the Advisory Committee on Library and Technology Policy and the President’s Cabinet and went into effect 4/6/2012.  This policy was updated 2/27/2014.

 

catch of the day

9/12: Phishing from IT Dept.

Report phishing 
Identify phishing

SERVICE ALERTS

LTS News

In the works