Policy Number: 12-021

Monitoring of IT Resources Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer


  1. Purpose The purpose of this policy is to define how The University may monitor UF Information Technology (IT) resources and retrieve communications and other records of specific users of UF Information Technology resources.

  2. Applicability This policy covers monitoring and retrieval of all forms of electronic communications and data stored or transmitted on University Information Systems, including individual login sessions, stored files and the content of individual communications. 

  3. Definitions

    Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

    University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
  4. Policy Statement
  • Approval must be obtained and provided to the Vice President and Chief Information Officer prior to monitoring or retrieval of IT resources, except as specified within this policy. Approval must be obtained from the appropriate senior leadership:
    • Vice President and General Counsel (or designee) in all situations.
    • Vice President for Human Resources (or designee) when the university is reviewing or investigating employee conduct.
    • Vice President for Student Affairs (or designee) when the university is reviewing or investigating student conduct.
  • Approval may be granted to monitor or retrieve IT Resources when the university has a legitimate need to access an account or activity and the access is reasonable in relation to the need. Examples include::
    • It reasonably appears necessary or appropriate to do so to protect the university from liability or disruption.
    • There is reasonable cause to believe that the user has violated or is violating the Acceptable Use Policy or that the user has violated, or is violating, any other university or Board of Governors rule, regulation, policy, or collective bargaining agreement, or any other law or regulation and the access is reasonable in relation to the believed violation.
    • It is part of any investigation or review of an already asserted, threatened or potential complaint or grievance or of a credible allegation of a violation of the law, including without limitation local, state or federal law, or foreign law as applicable, or university or Board of Governors rule, regulation or policy, or the subject of a law enforcement review or investigation, and the scope of access to the account or activity is reasonable in relation to the complaint, grievance or allegation.
    • A threat of violence or suicide.
  • No prior approval is required to monitor UF IT resources or retrieve communications and other records in the following situations:
    • When needed to comply with legal or contractual requirements, e.g. public records requests or subpoenas.
    • The university or individual has made the communications and/or records public.
    • The monitoring or retrieval is in response to an emergency. An emergency occurs when there is an imminent threat to life or property and there is not sufficient time available to obtain approval. In such a situation, monitoring or retrieval may be conducted without prior approval, with notification to the Vice President and Chief Information Officer and the General Counsel as soon as possible. The scope of access should be reasonable in relation to the emergency situation involved.
    • Monitoring or retrieval for the purposes of detecting or investigating a computer security incident or Data Breach. Approval must be obtained to release communications and/or records gathered as part of an investigation to persons other than members of the Computer Security Incident Response Team or Privacy investigation team.
    • It reasonably appears necessary or appropriate to do so to protect the integrity, security or functionality of university or other computing resources.

History

Revision Date Description
February 6, 2020  Policy originally adopted
Policy updated