IT Privacy and Monitoring Guidelines


Application


The IT Privacy and Monitoring Policy and these supporting guidelines apply to all members of the University community whether at the University or elsewhere, and refer to all IT resources.

Purpose


To provide further explanation, and recommended best practices for implementing the IT Privacy and Monitoring Policy

Preserving and protecting data


In circumstances where the University determines that there may be a specific risk to the integrity or security of institutional data the University may take measures to protect or preserve those data. For instance, the University may take a “snapshot” of a computing account to preserve its status on a given date, copy the contents of a file folder, or restrict access to a record system

Employee obligations


  • File maintenance e.g. to include maintaining files appropriately - ie clearly separating private data and University data
  • Employee conduct when accessing or monitoring records e.g. only to access other people’s personal data as authorised under this policy

Examples of breaches


  • An IT user monitors private data outside the circumstances allowed by the IT Privacy and Need to Monitor and Access Data policy
  • The University has granted access to the IT user (to monitor or access records) and the employee accesses or monitors records or record systems for purposes other than the purposes for which the University has granted access

Definitions


The following definitions apply to the IT Privacy and the Need to Monitor and Access Data Policy and to these guidelines:

Institutional data includes a data element which satisfies one or more of the following criteria, it is:

  • relevant to planning, managing, operating, controlling, internal or external accountability or auditing of the University
  • created, received, maintained, or transmitted as a result of educational, clinical, or research activities
  • generally referenced or required for use by more than one organisational unit
  • included in an official University academic or administrative report
  • data that the University is legally/ contractually obliged to hold
  • generated by an IT user using any of the above data

IT user refers to any individual member of the University community using IT resources

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it

Private data is all data that is not University data and is generated and/ or stored by an individual for their own use. Except as provided in any other University policy or agreement with the University, private data includes an IT user’s own research, teaching and learning materials

University means the University of Auckland and includes all subsidiaries

 

Key relevant documents


Include the following:

 

Document management and control


Owned by: CIO

Prepared by: IT Risk and Strategy Manager

Date approved: January 2017

Review date: January 2020