19.3 Security and Privacy

The same principles of academic freedom and privacy that have long been applicable to written and spoken communications in the University community apply also to electronic information. The University cherishes the diversity of perspectives represented on this campus and, accordingly, does not condone either censorship or the unauthorized inspection of electronic files.

The University employs various measures to protect the security of information technology resources and individual user accounts. Users should be aware, however, that the University cannot guarantee absolute security. Users should therefore engage in "safe computing" practices by safeguarding their accounts, and regularly changing and never sharing their passwords. Backup and recovery systems must be implemented in accordance with University disaster recovery guidelines, and all institutional systems must utilize security controls in accordance with best practices and University policies and procedures. The University respects encryption rights on its networks and may itself encrypt information and transactions when secure confidentiality is an obligation.

Users should also be aware that their uses of University information technology resources are not completely private as the information contained will be subject to the University's obligation to respond to subpoenas or other court orders, reasonable discovery requests, and public requests for documents pursuant to Iowa Code Chapter 22, the Public (Open) Records Law. All University records are subject to public record requests, unless an expressed exception in the law recognizes the confidentiality of the material, such as the exceptions provided for student, medical, or library records. By statute, public records include all "records, documents, tape or other information, stored or preserved in any medium," generated by University faculty or staff.

The Public Records statute contains no general exception for documents generated by faculty or staff in the course of their employment. As a result, the University recommends that faculty and staff refrain from keeping personal information on University systems, and utilize a personal email account for their personal communications. Additionally, users should be aware that University records that are otherwise subject to open records requests do not become confidential if they are created or stored on personally owned devices or in personal accounts. Disputes over the applicability of any confidentiality exceptions may ultimately be decided by a court of law, not by the University. While the University does not routinely monitor individual usage of its information technology resources, the normal operation and maintenance of the University's information technology resources require the backup of data and communication records, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for the rendition of service. The University may also inspect account contents and electronic files, or monitor usage for a limited time when, and only when, there is probable cause to believe a user has violated this or other University policies. Inspections or monitoring related to violations of policy or law must be authorized in advance by the University Chief Information Officer (CIO) or a designee, or, within the UI Hospitals & Clinics, the CIO of Health Care Information Systems or a designee, in consultation with University counsel and other appropriate University officials. These investigations will be conducted with advance notice to the user, unless, after consultation with University counsel, it is determined that notice would seriously jeopardize substantial interests of the University or of third parties. In addition, a supervisor or principal investigator may request access to retrieve assigned work without notice to the employee if the employee is unavailable for timely response.