UCLA Policy 410 : Access without Consent to Electronic Communications Records
I. PURPOSE & SCOPE
The University recognizes that principles of academic freedom and shared governance, freedom of speech, and privacy hold important implications for the use of electronic communications. The University of California Electronic Communications Policy (ECP) reflects these firmly held principles within the context of the University’s legal and other obligations. The University respects the privacy of electronic communications while seeking to ensure that University records are accessible for the conduct of the University's business.
This Policy implements the provisions of the ECP relevant to nonconsensual access (hereafter referred to as “access without consent”) to University Electronic Communications Records. This Policy, consistent with the ECP, also addresses Electronic Communications Records for preservation of evidence and investigations.
This Policy applies to all Holders of Electronic Communications Records about or relating to University activities.
For the purposes of this Policy:
See Attachment B
III. POLICY STATEMENT
The University must obtain a Holder’s consent prior to any access to Electronic Communications Records in the Holder’s Possession for the purposes of examination or disclosure of University Electronic Communications Records, except under circumstances as outlined in and in accord with Section IV of this Policy.
University employees must comply with University requests for access to Electronic Communications Records in their Possession that pertain to the activities of the University, or whose disclosure is required to comply with applicable laws.
Except for UCLA Emeritus faculty and UCLA Emeritus staff, and Registered Students, or unless pursuant to an agreement for continuing provision of an Electronic Communications Service (including eligibility for Google Apps for UCLA services), employees who have separated from the University of California are no longer the Holders of Electronic Communications Records. The University can access these Records without consent and without following the provisions of Section IV from the point of separation. Nevertheless, when access to such Records is needed, least perusal of contents and the least action necessary to resolve the situation must still be employed.
Providers of University Electronic Communications Systems and Services must ensure that their operational practices and terms of service are consistent with this Policy, and that their users are made aware of these terms prior to use.
Unit heads must ensure that their local practices regarding Electronic Communications Records are consistent with this Policy, and that users are made aware of these practices as part of the onboarding process. Guidance can be found in the Electronic Communications Policy, Attachment 2 (Implementation Guidelines), Section III.B.5 on Access to University Administrative Records.
IV. ACCESS WITHOUT CONSENT
The University can access Electronic Communications Records without the consent of the Holder for the purposes of examination or disclosure of the contents only when:
(i) required by and consistent with law;
(ii) there is Substantiated Reason to believe that violations of law or of University policies listed in the ECP Appendix C, Policies Relating to Access Without Consent have taken place;
(iii) there are Compelling Circumstances; or
(iv) under Time-dependent, Critical Operational Circumstances.
When under the circumstances described above and in accordance with the appropriate procedure outlined below, the contents of Electronic Communications Records can be accessed, examined or disclosed without the Holder’s consent.
- Prior Authorization (Section IV.A.1)
- Emergency Circumstances (Section IV.A.2)
- Search Warrants and Subpoenas (Section IV.A.3)
- Preservation of Evidence (Section V)
- California State and Internal Audit (Reference VI.4)
1. Prior Authorization
UCLA employees or investigative offices may request access without consent by completing Attachment A, Request Form for Authorization to Access Electronic Communications Records (“Request Form”) in advance of access. The UCLA Authorizing Official is the official responsible for authorizing or denying the access request, in writing. Any authorization will be limited to the least perusal of contents and the least action necessary to resolve the situation.
The appropriate UCLA Authorizing Official depends upon the status of the affected Holder (see Table 1 below). Prior to approving or not approving the request, the UCLA Authorizing Official will seek the advice of the following officials and all such advice will be given in a timely manner.
· Department Head or Unit Head, to ensure the request is appropriate and related to University activities;
· UCLA Office of Legal Affairs (if a campus matter) or UCLA Health Sciences Office of Legal Affairs (if a Health Sciences matter) because of changing interpretations by the courts of laws affecting the privacy of Electronic Communications, and because of potential conflicts among different applicable laws;
· Chair of the UCLA Academic Senate, when a request involves Electronic Communications Records held by Faculty or Emeritus Faculty, will attach written advice separately from the Request Form; and
· Campus Chief Privacy Officer (if a campus matter) or UCLA Health Chief Security and Data Privacy Officer (if a Health Sciences matter), on limiting authorization to the least perusal and the least action necessary to resolve the situation.
Table 1. UCLA Authorizing Officials
If Holder’s Status is:
The UCLA Authorizing Official is:
The UCLA Authorizing Official is advised by:
Faculty, Emeritus Faculty, Separated faculty with an agreement for continued access to Electronic Communications Services
Vice Chancellor, Academic Personnel
Student (Not in a capacity as a Staff Employee) or Academic Apprentice
Vice Chancellor, Student Affairs
Staff Employee (Non-UCLA Health), Student in this capacity, or Separated staff with an agreement for continued access to Electronic Communications Services
Administrative Vice Chancellor
UCLA Health Staff Employee or Student in this capacity or Separated UCLA Health Staff Employee with an agreement for continued access to Electronic Communications Services
President of UCLA Health;
Vice Chancellor, UCLA Health Sciences; and CEO of UCLA Health
Executive Vice Chancellor and Provost
The Chancellor or the Executive Vice Chancellor and Provost may act in place of any of the UCLA Authorizing Officials in Table 1, regardless of the affected Holder’s status. While the Chancellor or the Executive Vice Chancellor and Provost are only required to consult with UCLA Legal Affairs or UCLA Health Sciences Legal Affairs, they will generally also consult with the Campus or UCLA Health Chief Privacy Officer.
The authority of UCLA Authorizing Officials may not be delegated. A UCLA Authorizing Official will recuse themselves in the event of a conflict of interest. Approvals can be made by signing the form and/or by sending a confirming email.
Authorization is given to the individual UCLA employee named in Attachment A, unless this request is from an investigative office (Section IV.A.4), in which case authorization is for that office.
2. Emergency Circumstances
In Emergency Circumstances, access without consent may be taken immediately without prior authorization, but appropriate authorization must then be sought without delay following the procedures described above. The least perusal of contents and the least action necessary is required to resolve the emergency.
If the action taken is not subsequently authorized, the Electronic Communications Holder may seek recourse (Section IV.D).
3. Search Warrants and Subpoenas
Search warrants and subpoenas are not subject to Sections IV.A.1, 2, 4, IV.C or IV.D. Search warrants and subpoenas for Electronic Communications Records will be referred to Campus Counsel or designated campus officials.
- Search Warrants. Duly signed search warrants will be processed in accordance with federal and state laws, University policies, and instructions in the warrant.
- Subpoenas. Subpoenas will be processed in accordance with applicable federal and state laws and University policies (see UCLA Procedure 120.1, Producing Records Under Subpoena Duces Tecum and Deposition Subpoenas).
Campus officials will provide advance notice to individuals whose records are the subject of a subpoena or warrant, except where a court order prohibits such notice.
The following investigative offices may act as the requestor for access without consent in Attachment A:
- ADA/504 Compliance
- Civil Rights Office
- Discrimination Prevention
- Title IX
- Staff, Diversity & AA/EEO Compliance
- Human Resources
- Locally Designated Official
- Research Policy and Compliance
- Student Conduct
The UCLA campus Chief Privacy Officer or UCLA Health Chief Privacy Officer, as appropriate, will at the earliest opportunity that is lawful and consistent with other University policies notify the affected individual of the action(s) taken and the reasons for the action(s) taken. Campus Counsel or UCLA Health Legal Affairs, as appropriate, will advise if notification should not occur.
UCLA will issue, in a manner consistent with law, an annual report summarizing instances of authorized or Emergency Circumstances access without consent pursuant to the provisions of this section, without revealing personally identifiable data. The campus Chief Privacy Officer will tabulate this data for UCLA and provide the report as required by the ECP.
C. Compliance with Law
Actions taken under this Policy, including access to Electronic Communications Records residing on equipment not owned or housed by the University, will be in full compliance with the law and other applicable University policies, including laws and policies listed in ECP Appendix B, References. Advice of counsel must always be sought prior to any action involving Electronic Communications Records.
Should any requirement of this Policy be in conflict with legal requirements, Campus Counsel or UCLA Health Legal Affairs, as appropriate, in consultation with other campus offices or officials as appropriate, will make a recommendation to the Executive Vice Chancellor and Provost or to the Chancellor about resolving the conflict.
D. UCLA Recourse
A UCLA Electronic Communications Holder who believes that an action taken under Section IV.A.1 or IV.A.2 by employees or agents of the University was in violation of this Policy may file a complaint through their applicable faculty or staff grievance procedure.
V. PRESERVATION OF EVIDENCE
Consent is not required to carry out the University’s duty to preserve evidence. However, evidence subject to this Policy remains subject to this Policy when preserved. Thus any examination or disclosure of such preserved evidence requires the Holder’s prior consent as required by Section III, Policy Statement, or the procedure in Section IV, Access without Consent.
Preservation applies to all University Electronic Communications Services, including but not limited to departmental services, Enterprise Messaging, MedNet, and Google Apps for UCLA.
Actual preservation will be coordinated through the campus e-discovery Coordinator, or UCLA Health e-discovery Coordinator, as appropriate, to ensure preservation meets chain of custody and other legal requirements, and to ensure that preserved evidence is securely stored. Evidence so preserved may be exempted from the encryption requirements of UCLA Policy 404, Encryption of Electronically Stored Personal Information.
Preserved evidence will be released by the campus e-discovery Coordinator or UCLA Health e-discovery Coordinator in accordance with preserved evidence disposition protocols.
- University of California Electronic Communications Policy (ECP)
- UCLA Procedure 120.1, Producing Records Under Subpoena Duces Tecum and Deposition Subpoenas
- UC Whistleblower Policy
- On March 18, 2004 the Regents Committee on Audit approved changes to the Internal Audit Management Charter authorizing Internal Audit to have access to University information except where prohibited by law. [http://www.universityofcalifornia.edu/regents/regmeet/mar0html]
/s/ Mark Krause
Associate Vice Chancellor / Chief Compliance & Audit Officer