19.3 Security and Privacy
Effective March 11, 2022, this policy has been revised. For individual changes see the redlined version.
The University employs various measures to protect the security of information technology resources and individual user accounts. Users should be aware, however, that the University cannot guarantee absolute security. Users should therefore engage in "safe computing" practices by safeguarding their accounts, and regularly changing and never sharing their passwords. Backup and recovery systems must be implemented in accordance with University disaster recovery guidelines, and all institutional systems must utilize security controls in accordance with best practices and University policies and procedures. The University respects encryption rights on its networks and may itself encrypt information and transactions when secure confidentiality is an obligation.
Users should also be aware that their uses of University information technology resources are not completely private as the information contained will be subject to the University's obligation to respond to subpoenas or other court orders, reasonable discovery requests, and public requests for documents pursuant to Iowa Code Chapter 22, the Public (Open) Records Law. All University records are subject to public record requests, unless an expressed exception in the law recognizes the confidentiality of the material, such as the exceptions provided for student, medical, or library records. By statute, public records include all "records, documents, tape or other information, stored or preserved in any medium," generated by University faculty or staff.
The Public Records statute contains no general exception for documents generated by faculty or staff in the course of their employment. As a result, the University recommends that faculty and staff refrain from keeping personal information on University systems, and utilize a personal email account for their personal communications. Additionally, users should be aware that University records that are otherwise subject to open records requests do not become confidential if they are created or stored on personally owned devices or in personal accounts. Disputes over the applicability of any confidentiality exceptions may ultimately be decided by a court of law, not by the University.
The same principles of academic freedom and privacy that have long been applicable to written and spoken communications in the University community apply also to electronic information. The University cherishes the diversity of perspectives represented on this campus and, accordingly, does not condone either censorship or the unauthorized inspection of electronic files. Thus, the principle of academic freedom shall be taken into account when implementing this policy.
While the University does not routinely monitor individual information transmitted, accessed, stored, or otherwise engaged via its information technology resources, the normal operation and maintenance of the University's information technology resources require the backup of data and communication records, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for the rendition of service. The University may also access information transmitted, accessed, stored, or otherwise engaged via information technology resources, or monitor usage for a limited time, when there is a legitimate work-related reason, including but not limited to responding to open records requests, ensuring business continuity, complying with compulsory legal process (e.g., responding to discovery requests in the course of litigation or subpoenas), and engaging in investigations into workplace misconduct.
The University will make reasonable efforts to limit the scope of access and monitoring based on the authorized justification. Accessing or monitoring information must be authorized in advance by the University Chief Information Officer (CIO) or a designee, or, within UI Health Care, the CIO of Health Care Information Systems or a designee, in consultation with the University Office of the General Counsel or UI Health Care Legal Affairs, and other appropriate University officials, including the Executive Vice President and Provost or a designee when accessing or monitoring faculty or student information. Generally, access or monitoring will be conducted with advance notice to the user, unless, after consultation with the University Office of the General Counsel or UI Health Care Legal Affairs, and other appropriate University officials, including the Office of the Executive Vice President and Provost when accessing or monitoring faculty or student information, it is determined that notice is not feasible or appropriate, such as when notice would seriously jeopardize substantial interests of the University or of third parties.