IT Privacy and Monitoring Guidelines

Application

The IT Privacy and Monitoring Policy and these supporting guidelines apply to all members of the University community whether at the University or elsewhere, and refer to all IT resources.

Purpose

To provide further explanation, and recommended best practices for implementing the IT Privacy and Monitoring Policy.

Preserving and protecting data

In circumstances where the University determines that there may be a specific risk to the integrity or security of institutional data the University may take measures to protect or preserve those data. For instance, the University may take a “snapshot” of a computing account to preserve its status on a given date, copy the contents of a file folder, or restrict access to a record system.

Employee obligations

  • File maintenance e.g. to include maintaining files appropriately - ie clearly separating private data and University data
  • Employee conduct when accessing or monitoring records e.g. only to access other people’s personal data as authorised under this policy

Examples of breaches

  • An IT user monitors private data outside the circumstances allowed by the IT Privacy and Need to Monitor and Access Data policy
  • The University has granted access to the IT user (to monitor or access records) and the employee accesses or monitors records or record systems for purposes other than the purposes for which the University has granted access

Definitions

The following definitions apply to this document:

Institutional data includes a data element which satisfies one or more of the following criteria, it is:

  • relevant to planning, managing, operating, controlling, internal or external accountability or auditing of the University
  • created, received, maintained, or transmitted as a result of educational, clinical, or research activities
  • generally referenced or required for use by more than one organisational unit
  • included in an official University academic or administrative report
  • data that the University is legally/ contractually obliged to hold
  • generated by an IT user using any of the above data

IT user refers to any individual member of the University community using IT resources.

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it.

Private data is all data that is not University data and is generated and/ or stored by an individual for their own use. Except as provided in any other University policy or agreement with the University, private data includes an IT user’s own research, teaching and learning materials.

University means the University of Auckland and includes all subsidiaries.

Key relevant documents

Document management and control

Owned by: Chief Digital Officer (CDO)
Prepared by: IT Risk and Strategy Manager
Date approved: January 2017
Review date: January 2020