The University will treat all of its individual User information, User activity, and User communications as Confidential Information as defined in its Information Management Policy.
Confidential Information is defined by Pacific’s Information Management Policy and repeated here for convenience:
Confidential Information is the strictest data classification used by the University and requires maximum control. Depending on the nature or contents of the Confidential Information, disclosure or alteration of this type of information could cause great harm to an employee, student or the University. Confidential Information requires safeguarding, either due to the requirements of law or because of the mandates of prudent and reasonable practices. Access to Confidential Information is limited to specifically authorized individuals of the University and denied to all others, unless and until directed by an officer of the University and upon advice of legal counsel of the University.
The expectation that confidential private information will not be disclosed to anyone other than its owner.
Modern communications and computing systems may monitor, record or maintain certain User information (like directory information or files), user activity (like web sites visited) and user communications (like Email) as a normal part of their operation. Authorized security administrators / systems administrators in the normal course of operations, maintenance or problem diagnosis may have access to user information, user activity and user communications.
As a result of this normal maintenance activity, information, activity or communications discovered to be in potential violation of University policy may be discovered. This information will be disclosed to the appropriate University official(s) and may ultimately result in investigation and/or corrective action (as defined under Enforcement).
Users should be aware that backups and copies of information may exist and may be retained for indeterminate periods of time, regardless of whether that information is 'deleted' by the User
The University will not routinely monitor User information, User activity or User communications without a user’s consent. However, the University reserves the right to investigate suspected violations of University Policies by monitoring or reviewing individual user information, user activity or user communications on any of its Institutional Computers.
Authorization for any such monitoring must be obtained in writing from both the Information Security Analyst (The Security Officer) and the Chief Information Officer. Such authorization will be done in concert with the appropriate University officials and/or University counsel. In general, authorization will not be given for purposes relating simply to employee performance. For example, accusations of excessive web surfing are a management issue, not an issue sufficient to warrant monitoring.
In addition, monitoring requests from non-University entities, including law enforcement, must additionally be cleared through University counsel. Requests, in writing, by an individual to have their own information, activity and communications monitored can be honored by the appropriate system administrator and/or the Information Security Analyst.
If in the judgment of the appropriate University officers or management, it is necessary to protect the integrity of its Computing and Communications Resources against unauthorized or improper usage, to protect authorized Users from the effects of unauthorized or improper usage under the University’s Acceptable Use Policy, to provide for the security and/or safety of its community members, to assure university policy compliance, or otherwise to protect the fiscal or management integrity of the institution, the University (through its Security Administrators) reserves the right to restrict, or permanently limit, any User activity, to inspect, copy, remove or otherwise alter any information on Institutional Computers, to inspect, copy, or remove User communications on Institutional Computers and to do so without notice to the user.
Emergency action on Private Computers is limited to removal from the network unless the action is part of a legal process. As per the Sanctions (See Table of Contents) of these policies. In addition, technical action may be taken in emergency situations by authorized Information Technology staff. Other corrective action, technical or non-technical, will be taken in accord with applicable University policies and procedures.
Normal Human Resource and student judicial policies will be used for non-emergency cases of suspected policy violation. Today, students, faculty and staff depend on information technology to perform their duties and meet expectations. If non-emergency IT policy infringement problems arise they must be resolved in a consistent manner and utilize established University investigative and disciplinary channels and procedures. The CIO and information security analyst (Security Officer) will work with the appropriate general University officials and appropriate School or administrative unit officials in these matters. The Security analyst may also address this process with incident response procedures.
Except in an emergency, information technology staff members do not take unilateral action restricting user activity and/or action outside of established University processes.
An emergency situation occurs when the integrity or security of systems is at stake, when a user’s usage is seriously impacting the usage of others, or when the University has been placed in a position of immediate harm to its image or immediate legal liability. Simply having the potential for these conditions may be grounds for prompt process, but does not constitute an emergency. If a question arises about whether a situation is or is not an emergency, the Information Security Analyst and/or the CIO should be consulted.
Users should be aware that the University has no control over the content of information servers on the external Internet and does not routinely monitor inbound traffic for content. Please be informed that some information on or from the Internet may be personally offensive and/or unsuitable for certain audiences. User discretion is advised.
Users of computers, even if the University provides them, are responsible for insuring that their systems are properly backed up and that the information contained therein is appropriately safeguarded to maintain security, confidentiality and policy compliance. Viruses, Trojan horses, worms, password breakers, packet observers, remote controllers and other malicious software may exist in the University electronic environment.
Be aware that these programs may be dangerous and/or capable of compromising confidential information. Take appropriate precautions including keeping anti-virus software up to date. In general, never run or access a program or received file unless the content is known in advance and the source is trusted.
The information in private computers is considered confidential private information. The courts (a three Judge Panel of the U.S. Court of Appeals for the Ninth Circuit in San Francisco upheld an earlier decision of the U.S. District Court of the Northern District of California) have ruled that students have “a legitimate, objectively reasonable privacy expectation” concerning data on their computers even though it may be connected to a University network.
By extension , Pacific employees whose authorized jobs involve computer maintenance and security must gain documented permission from the owner before accessing not just student computers, but any private computer.
The information in institutional computers is considered confidential institutional information. Even if the information on an Institutional machine is Private (Owned by the individual, not Pacific) use of an institutional machine waives any privacy rights the user may have in that information (although the information will continue to be treated as confidential).
At Pacific, except in an emergency, any intrusions into institutional computers beyond normal authorized maintenance and security requires the authorization of the Information Security Analyst (Security Officer) and the appropriate Vice President/Provost in consultation with the Director of Human Resources.
Private computers that contain Confidential Institutional Information may be subject to e-discovery in legal actions concerning the University. Such discovery may result in a loss of privacy.
The loss of a private computer containing Institutional Information may trigger notification under California Law 1386 as well additional actions under other statutes.
Wherever possible, private computers should not be used to store Institutional Information.