Skip Ribbon Commands
Skip to main content
Sign In
Search Policy Site
Pacific Logo

Computing and Communications Confidentiality Policy


The University will treat all of its individual User information, User activity, and User communications as Confidential Information as defined in its Information Management Policy.

Note that the line above is University Institutional Policy and that what follows is University Operational Policy. Both are approved by the Information Strategy and Policy Committee (ISPC).

Definitions

Confidential information

Confidential Information is defined by Pacific’s Information Management Policy and repeated here for convenience:

Confidential Information is the strictest data classification used by the University and requires maximum control.  Depending on the nature or contents of the Confidential Information, disclosure or alteration of this type of information could cause great harm to an employee, student or the University.  Confidential Information requires safeguarding, either due to the requirements of law or because of the mandates of prudent and reasonable practices.  Access to Confidential Information is limited to specifically authorized individuals of the University and denied to all others, unless and until directed by an officer of the University and upon advice of legal counsel of the University.

Ownership of Confidential Information:

  • Confidential Institutional Information is owned by the University
  • Confidential Private Information is owned by the User

Computers

  • Desktops
  • Laptops
  • All other computing hardware
  • Media
  • Communication devices
  • Systems that can store data

Ownership of Computers

  • Institutional Computers are owned, leased or provided by the University
  • Private Computers are owned, leased or provided by the User.

Privacy

The expectation that confidential private information will not be disclosed to anyone other than its owner.

Users should not assume they are anonymous or have absolute protection from disclosure

Modern communications and computing systems may monitor, record or maintain certain User information (like directory information or files), user activity (like web sites visited) and user communications (like Email) as a normal part of their operation.   Authorized security administrators / systems administrators in the normal course of operations, maintenance or problem diagnosis may have access to user information, user activity and user communications.

As a result of this normal maintenance activity, information, activity or communications discovered to be in potential violation of University policy may be discovered. This information will be disclosed to the appropriate University official(s) and may ultimately result in investigation and/or corrective action (as defined under Enforcement). 

Backups and Copies

Users should be aware that backups and copies of information may exist and may be retained for indeterminate periods of time, regardless of whether that information is 'deleted' by the User

Monitoring of user information

The University will not routinely monitor User information, User activity or User communications without a user’s consent.  However, the University reserves the right to investigate suspected violations of University Policies by monitoring or reviewing individual user information, user activity or user communications on any of its Institutional Computers.

Authorization for any such monitoring must be obtained in writing from both the Information Security Analyst (The Security Officer) and the Chief Information Officer.  Such authorization will be done in concert with the appropriate University officials and/or University counsel.  In general, authorization will not be given for purposes relating simply to employee performance.  For example, accusations of excessive web surfing are a management issue, not an issue sufficient to warrant monitoring.

In addition, monitoring requests from non-University entities, including law enforcement, must additionally be cleared through University counsel.  Requests, in writing, by an individual to have their own information, activity and communications monitored can be honored by the appropriate system administrator and/or the Information Security Analyst.

Emergency steps can be taken

If in the judgment of the appropriate University officers or management, it is necessary to protect the integrity of its Computing and Communications Resources against unauthorized or improper usage, to protect authorized Users from the effects of unauthorized or improper usage under the University’s Acceptable Use Policy,  to provide for the security and/or safety of  its community members, to assure university policy compliance, or otherwise to protect the fiscal or management integrity of the institution, the University (through its Security Administrators) reserves the right to restrict, or permanently limit, any User activity, to inspect, copy, remove or otherwise alter any information on Institutional Computers, to inspect, copy, or remove User communications on Institutional Computers and to do so without notice to the user.

Emergency action on Private Computers is limited to removal from the network unless the action is part of a legal process. As per the Sanctions (See Table of Contents) of these policies.  In addition, technical action may be taken in emergency situations by authorized Information Technology staff.  Other corrective action, technical or non-technical, will be taken in accord with applicable University policies and procedures.

Non-Emergency Cases

Normal Human Resource and student judicial policies will be used for non-emergency cases of suspected policy violation.  Today, students, faculty and staff depend on information technology to perform their duties and meet expectations.  If non-emergency IT policy infringement problems arise they must be resolved in a consistent manner and utilize established University investigative  and disciplinary channels and procedures.  The CIO and information security analyst (Security Officer) will work with the appropriate general University officials and appropriate School or administrative unit officials in these matters.  The Security analyst may also address this process with incident response procedures.

Emergency Action Limitations

Except in an emergency, information technology staff members do not take unilateral action restricting user activity and/or action outside of established University processes. 

An emergency situation occurs when the integrity or security of systems is at stake, when a user’s usage is seriously impacting the usage of others, or when the University has been placed in a position of immediate harm to its image or immediate legal liability.  Simply having the potential for these conditions may be grounds for prompt process, but does not constitute an emergency.  If a question arises about whether a situation is or is not an emergency, the Information Security Analyst and/or the CIO should be consulted.

Internet - Limitations of Control

Users should be aware that the University has no control over the content of information servers on the external Internet and does not routinely monitor inbound traffic for content.  Please be informed that some information on or from the Internet may be personally offensive and/or unsuitable for certain audiences.  User discretion is advised.   

User Responsibilities

Users of computers, even if the University provides them, are responsible for insuring that their systems are properly backed up and that the information contained therein is appropriately safeguarded to maintain security, confidentiality and policy compliance.  Viruses, Trojan horses, worms, password breakers, packet observers, remote controllers and other malicious software may exist in the University electronic environment. 

Be aware that these programs may be dangerous and/or capable of compromising confidential information.  Take appropriate precautions including keeping anti-virus software up to date.  In general, never run or access a program or received file unless the content is known in advance and the source is trusted.

Private Information Policy

The information in private computers is considered confidential private information. The courts (a three Judge Panel of the U.S. Court of Appeals for the Ninth Circuit in San Francisco upheld an earlier decision of the U.S. District Court of the Northern District of California) have ruled that students have “a legitimate, objectively reasonable privacy expectation” concerning data on their computers even though it may be connected to a University network. 

By extension , Pacific employees whose authorized jobs involve computer maintenance and security must gain documented permission from the owner before accessing not just student computers, but any private computer.

Users are responsible for maintaining proper back-ups of their data, including, but not limited to, data files, applications, license keys and documentation.  Although a rare occurrence, University service personnel are not responsible for any loss of data that may occur as a result owner authorized activities. This is to be documented as part of the permission process (above).

Confidential Information Policy

There is no expectation of privacy on institutional computers

The information in institutional computers is considered confidential institutional information. Even if the information on an Institutional machine is Private (Owned by the individual, not Pacific) use of an institutional machine waives any privacy rights the user may have in that information (although the information will continue to be treated as confidential).

Pacific employees, whose authorized jobs involve computer maintenance and security, are not required to gain permission from a user (or their designee) before accessing any Institutional Computer for normal maintenance and security purposes.

At Pacific, except in an emergency, any intrusions into institutional computers beyond normal authorized maintenance and security requires the authorization of the Information Security Analyst (Security Officer) and the appropriate Vice President/Provost in consultation with the Director of Human Resources. 

Users are responsible for maintaining proper back-ups of their data, including, but not limited to, data files, applications, license keys and documentation.  Although a rare occurrence, University service personnel are not responsible for any loss of data that may occur as a result of institutionally authorized activities.

E-discovery on Private Computers

Private computers that contain Confidential Institutional Information may be subject to e-discovery in legal actions concerning the University.  Such discovery may result in a loss of privacy. 

The loss of a private computer containing Institutional Information may trigger notification under California Law 1386 as well additional actions under other statutes.

Wherever possible, private computers should not be used to store Institutional Information.​​​

About This Policy
Last Updated
11/12/2007
Original Issue Date
5/4/2007

Responsible Department
Information Technology


Roles, Responsibilities, & Sanctions
General IT Policy Information v1.0.pdfGeneral IT Policy Information v1.0.pdf​