IT Privacy and Monitoring Policy

This policy and the supporting IT Privacy and Monitoring Guidelines apply to all members of the University community whether at the University or elsewhere, and refers to all IT resources.

The University respects the privacy of its users and seeks to foster a climate free from arbitrary or capricious monitoring of employees and the records they create, use or control. However, because the University provides some latitude for IT users to conduct University business off-campus and to conduct personal matters at their place of work, University data and private data may be located in the same place. IT users should consider issues of privacy when storing their own data on University IT resources.

The University must at times access data and monitor IT resources. This policy identifies the special circumstances in which an authorised IT user may access another person’s private data that is held on IT resources.

1. Authorised IT users may access or monitor the content of private data where lawfully and reasonably required to do so by the University, including in the following circumstances:

• where the University has the permission of the IT user
• where the University is required by law to disclose data held on IT resources
• when the University has reasonable grounds to suspect that the law or any University statute or policy may have been breached
• to avert reasonably anticipated significant threats or hazards to IT resources
• when it is necessary for the University to determine whether data under the control of an IT user are University data, and the IT user is either unavailable or unwilling to give consent to access such data

The following definitions apply to this document:

Authorised refers to an IT user who has been given permission to access the requested data by a member of SMT, the Director IT Services or the Director IT Strategy Policy and Planning.

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it.

IT user refers to any individual member of the University community using IT resources.

Private data is all data that is not University data and is generated and/ or stored by an individual for their own use. Except as provided in any other University policy or agreement with the University, private data includes an IT user’s own research, teaching and learning materials.

University means the University of Auckland and includes all subsidiaries.

University community includes all staff members (whether permanent, temporary or part time), honorary staff, students (whether full time or part time), contractors, subcontractors, consultants, alumni, associates, business partners or official visitors or guests of members of the University or UniServices.

University data refers to any data created, received, used, or maintained by an IT user in the normal course of his or her work on behalf of the University.

Include the following:

• Privacy Act 1993
• Public Records Act 2005
• IT Acceptable Use Policy
• IT Security Policy
• Copyright Materials Policy
• Privacy Policy
• Records Management Policy
• Intellectual Property Created by Staff and Students Policy
• Addressing Bullying, Harassment and Discrimination Policy and Procedures
• IT Privacy and Monitoring Guidelines

Owned by: Chief Digital Officer (CDO)
Prepared by: IT Risk and Strategy Manager
Approved by: The Vice-Chancellor
Date approved: January 2017
Review date: January 2022