This content is viewable by Everyone

Guideline

UCSF Implementation of the ECP - Access Without Consent

Access Without Consent to Electronic Communications Records

A. Authorization

An electronic communication holder's records may be inspected, monitored, or disclosed without the consent of the individual but with the approval of the authorizing Vice Chancellor (see Appendix A, Definitions) under the following conditions:

Electronic communication records that have been subpoenaed will be disclosed, as appropriate, with the approval of Campus Counsel.

B. Procedures

Before accessing an electronic communication without consent, except when an employee is separated from University and no longer has access to their email account, you must complete an access without consent form. This form is maintained by the Office of Legal Affairs.  The completion of this form documents that proper procedures have been followed before an electronic communication is accessed without the consent of the electronic communication holder.

Previously, when an employee separated without providing consent to access their electronic records, an access without consent form was required in order for IT to access the records. Although this is no longer the case, please note that access to electronic records should still be limited to the least perusal of contents and the least action necessary to resolve the business situation and all reasonable efforts should still be made to avoid accessing personal information.

B.1 Access Without Consent

The procedures below define the requirements for authorizing the inspection, monitoring, or disclosure of electronic communication records without the consent of the electronic communication holder. Overall Requirement For any request for access without consent, except when employee is separated from the University and no longer has access to their email account, an access without consent form must be completed. The form can be obtained from the Office of Legal Affairs or here PDF iconawoc_copy.pdf.  It is used to document the review process for access without consent.  

 

Request for Access to Electronic Communication Records

  1. The person requesting access to the electronic communication record(s) will complete the Requestor section of the access without consent form, and send it to the department head of the affected electronic communication holder. If the requestor is a department head, then the request must be sent to the department head's supervisor.
  2. The department head will complete the Department Head section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records. If the Department Head approves the request, s/he will send the form to Campus Counsel for further authorization. If the Department Head does not approve of the request, the denial will be indicated on the form, and returned to the requestor.
  3. Campus Counsel will complete the Campus Counsel section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records. If Campus Counsel approves the request, that will be indicated on the form, and the form will be sent to the appropriate Vice Chancellor. Staff requests will be sent to the Vice Chancellor of Finance and Administration; Academic appointee and student requests will be sent to the Vice Chancellor of Academic Affairs. Denied requests will be returned to the Department Head, who will communicate the denial to the requestor and send a copy of the tracking form to ITS/S&P, UCSF Box 0272.
  4. The authorizing Vice Chancellor will complete the Vice Chancellor section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records. Approved requests will be sent to the Department Head, who will ensure that the records are accessed as requested. The Access to the Requested Electronic Communication Record section of the form will be completed once access to the records has been completed. Denied requests will be returned to the Department Head, who will communicate the denial to the requestor and send a copy of the tracking form to ITS/S&P, UCSF Box 0272.

The completed form must be sent to ITS, Security & Policy, UCSF Box 0272, for summary reporting.

B.2 Emergency and Critical  Circumstances

In the following situations:

  1. Emergency Circumstances (see Appendix A, Definitions); and/or
  2. Time-dependent, Critical Operational Circumstances, in which there is detection of an incident involving potentially compromised UCSF data and/or UCSF patient data such as:
    • user account compromise (theft of credentials; unauthorized access to the user account); and/or
    • system compromise (theft of a system; unauthorized access to a system).

Pertinent records may be inspected, monitored, or disclosed without the prior consent of the authorizing Vice Chancellor. The least perusal and the least action necessary to resolve the emergency or time-dependent critical operational circumstances may be taken immediately without consent; however, proper authorization must then be sought and documented without unreasonable delay. The access without consent form must be used to document the post-authorization of emergency or time-dependent critical operational access to electronic communication records without prior consent of the individual. The procedures below define the requirements for authorizing the inspection, monitoring, or disclosure of electronic communication records under emergency or time-dependent critical operational circumstances:

  1. The department head will seek the approvals of Campus Counsel and the authorizing Vice Chancellor, which will be documented by their signatures in the appropriate sections of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records.
  2. When the electronic communication records are accessed, that access will be documented in the Access to the Requested Electronic Communication Record section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records.
  3. If it is lawful to do so, the department head will notify the electronic communication holder that the record(s) have been inspected, monitored, or disclosed.

The completed form must be sent to the Information Technology Services (ITS), UCSF Box 0272, for summary reporting.

C. Recourse After Inspection, Monitoring, or Disclosure Without Consent

Under both the normal and emergency procedures defined above, the electronic communication holder may appeal the decision of a department head or the authorizing Vice Chancellor through UCSF personnel procedures.

D. Annual Reporting

The Information Technology Services (ITS) will annually produce a report of summary non-consensual access statistics with no information about individual cases, and shall be posted on the web so the data will be available to the University community and the public. See Attachment 2, page 7 for UC reporting requirements.