Data Request Procedures
The UC Electronic Communications Policy (ECP) specifies requirements for obtaining consent or authorization to access the electronic records of current employees and students and for using the “least perusal of contents and the least action necessary to resolve the situation.”
ECP provisions do not cover former employees and students, but campus practice extends similar courtesies of consent or notice and least degree of invasiveness to individuals that maintain access to University accounts.
Access with Consent
An electronic communication holder's consent shall be obtained by the University prior to any access for the purpose of examination or disclosure of the contents of University electronic communications records in the holder's possession (see ECP section IV. Privacy and Confidentiality) — except under limited circumstances.
Access Without Consent
When the contents of electronic communications must be examined, monitored, or disclosed without the holder's consent, such actions must be authorized as described in ECP § IV.B.: Access Without Consent. (See that Policy for detailed information: Electronic Communications Policy).
Circumstances which may permit access without consent
Per the UC Electronic Communications Policy, the University shall permit the examination or disclosure of electronic communications records without the consent of the holder of such records only:
- when there is substantiated reason to believe that violation of law or UC policy have taken place. Reliable evidence indicating that violation of law or University policies listed in ECP Appendix C probably has occurred, as distinguished from rumor, gossip, or other unreliable evidence);
- when there are compelling circumstances. Failure to act might result in significant bodily harm, property loss or damage, loss of significant evidence of one or more violations of law or of University policies listed in Appendix C or significant liability to the University or to members of the University community;
- when required by and consistent with law; or
- under time-dependent, critical operational need. Failure to act could seriously hamper the ability of the University to function administratively or to meet its teaching obligations, but excluding circumstances pertaining to personal or professional activities, or to faculty research or matters of shared governance.
Procedures for requesting access without consent
If you believe that you may need to request an access of a record holder’s electronic communications without their consent or you have questions whether a circumstance requires consent to access their electronic communications, please contact the UCR Campus Privacy Officer at firstname.lastname@example.org.
If the request meets one of the provisions for access without consent, the Campus Privacy Officer will explain the process which includes completing information about:
- the requested record holder and records;
- the type of request;
- the provision(s) under which the records are sought;
- the reason that consent cannot be obtained; and
- the notice to affected individual(s).
The request will be reviewed by the Campus Privacy Officer, Campus Counsel, and ultimately must be approved by the applicable authorizing official dependent of the record holder’s affiliation:
- Student Record Holders – Vice Chancellor of Student Affairs
- Academic Employee/Librarian Record Holders – Executive Vice Chancellor and Provost
- Staff and Other Affiliate Record Holders – Vice Chancellor of Administration, Planning, and Budget
Deleting emails without consent
Requests to delete harmful emails that have been previously sent and received will only be considered under the following circumstances:
- Communications that are harmful to the reliability or security of the service.
- These will be handled by the Information Security Office.
- Communications whose content may violate privacy principles, laws, or regulations, including data exposure, offensive or threatening content.
- These will be handled by the Privacy Office.
Providing Notice: Notice to the recipient is not required for email deletions necessary to prevent harm to the reliability or the security of the service. In instances where the deletion occurs because personal information of an individual has been disclosed, notice should be provided to that individual even if not required by law.
For more information regarding requests to delete previously sent emails, contact the Campus Privacy Officer at email@example.com.
Former Employee Electronic Records
Every effort should be made to obtain necessary electronic records from an employee prior to their separation. Due to privacy and staff resource concerns, it will not be standard practice for ITS staff to provide access to former employee’s accounts. However, the following process will be used for incidents when campus operational needs require access to a former employee’s electronic records. A request for ITS staff assistance can be sent by the former supervisor of the separated employee to firstname.lastname@example.org. Please provide the following information:
- Indicate whether the former employee was contacted, and whether consent for access was granted.
- Describe the request in detail: account name(s), description of resource for which access is needed, who will be given access, how long access is needed, etc. In accordance with the privacy principles of least perusal, please define the request as narrowly as possible (i.e., identify specific files or folders) and provide an end date for when access will no longer be needed (Note: Access should generally be removed after two weeks unless there is a significant operational need for extended access).
- Acceptance by the person who will be given access that the “least invasive degree of inspection” will be used (i.e., that upon encountering a personal message/file the user will stop looking at it and move on), and that once the needed information is obtained, access will be terminated.
The UCR Campus Privacy Officer will review the request and forward it to the appropriate service provider.
Litigation Holds for Electronically Stored Information (ESI)
If you receive information about a litigation hold (also known as a “legal hold” or “notice to preserve document and electronic data”) which requires the University to preserve Electronically Stored Information (ESI) relevant to current or potential litigation or legal disputes, please contact the UCR Office of Legal Affairs. For more information on this process, you may also review the UCR policy on Electronic Discovery and Data Preservation (800-10).
Data Preservation Requests (Separate from Legal Disputes)
In certain circumstances not related to legal disputes, such as an internal investigation, there may be a request for the preservation of electronic records to ensure that loss of information (i.e., spoilage) does not occur. These requests are separate from an Access Without Consent request as no access of electronic records is granted to the requestor. If and when, a requestor would like to access these electronic records, they must either obtain consent from the record holder or follow the Access Without Consent process.
If you believe that you may need to request the preservation of electronic records or have questions whether a preservation request would be advisable, please contact the UCR Campus Privacy Officer at email@example.com. If submitting a request for data preservation, please provide the following information:
- Describe the request in detail: account name(s), description of resource for which preservation is needed, how long preservation is needed (if applicable), etc. In accordance with the privacy principles of least perusal, please define the request narrowly (if possible) and provide a justification for the request.