1.0 Policy Purpose
Electronic Information is integral to the academic, research, administration, and other activities of Brown University. This policy establishes the guidelines, procedures, and authorizations under which Authorized Individuals at Brown University may Access Electronic Information and defines consequences of misconduct.
2.0 To Whom and What Data This Policy Applies
This policy applies to anyone who directly interacts with Information Technology Resources, regardless of affiliation with Brown University.
This policy applies to all Electronic Information residing on or in a Brown University Information Technology Resource.
3.0 Policy Statement
Authorized Individuals may Access Electronic Information in a variety of circumstances, but only for a legitimate institutional purpose, as provided for in this policy. The sub-sections below describe certain purposes for which an Authorized Individual may Access such information. While this list is expected to cover most instances of Access, the list is not intended to be exhaustive.
Although this policy applies to Electronic Information of faculty, staff, and students alike, in evaluating the institutional purpose, the Data Trustee and/or Authorizing Official should, in each case, weigh not only the stated reasons for Access but also the possible effect of Access on Brown University values such as academic freedom as well as institutional trust and confidence.
This policy is grounded on these important principles:
- Access may occur only for a legitimate Brown University purpose;
- Access must be limited to the minimum Electronic Information necessary to accomplish the purpose;
- Data Trustees are responsible for ensuring Routine Access is appropriate;
- Non-Routine Access must be authorized by one or more Authorizing Officials;
- Only the minimal number of people should be authorized for Access. Access permissions are regularly reviewed by Data Stewards/Trustees;
- Sufficient records must be kept to enable Brown University or external auditors to review compliance with this policy; and
- Access guidelines are subject to ongoing oversight by the Data Governance Committee.
3.1 Routine Access
For routine Access, the Data Trustee is ultimately responsible for defining who may have Access to Electronic Information. Day-to-day operational decisions are made by the Data Steward, who then relies on the Data Custodian to implement systems to provide Data Users with the Access they need or respond to requests made by Data Users.
Data Trustees may publish policies defining Access to specific data types or elements, such as FERPA protected student data, public safety data, and legal documents. As additional policies are published, references to these policies will be added to this Electronic Information Access policy.
System Operations, Protection, Maintenance, and Management
Brown University Information Technology Resources often need to share data among themselves in order to function. Data Trustees review such integrations to ensure proper data sharing. Information Technology Resources require ongoing maintenance and analysis to ensure that they are operating properly; to ensure they are in compliance with regulatory and contractual obligations; to protect against security threats such as cyberattacks, malware, and phishing; and to protect the integrity and security of the Electronic Information. To do this work, Authorized Individuals may Access a Data User’s Electronic Information.
Electronic Information may be Accessed by Authorized Individuals to ensure business continuity in cases where, for example, an employee changes job functions within Brown University, takes a leave of absence, or terminates employment.
3.2 Non-Routine Access
Data Requesters should make requests for non-routine Access to the Data Trustee and, if declared, their designated backup. If neither the Data Trustee nor their designated backup are available, then the request should be made to the Vice President for Information Technology and Chief Information Officer (CIO). If none of the aforementioned individuals are available, then the request should be made to any Authorizing Official. For the remainder of this section, the person receiving the request will be referred to as the Data Arbiter.
The Data Arbiter works with the Data Requester, interacting with the Data Steward and Data Custodian as needed, to understand the nature and scope of the request. Once defined, they determine whether there is cause to continue with the request. If so, they document the request, and must include:
- The period of time for the non-routine Access
- The Authorized Individual(s)
- With whom the results should be shared
Once appropriate documentation has been assembled, the Data Arbiter must share the documented Access request with an Authorizing Official, who must also approve the need for the non-routine Access.
In order to ensure there are at least two approvals for each Access request, these requirements apply:
- The Data Arbiter and Authorizing Official may not be the same individual. If they are, then another Authorizing Official must approve the request before Access is granted.
- If the Data Requester is themselves an Authorizing Official, then the Data Arbiter does not need to seek approval of an additional Authorizing Official.
The Data Governance Committee provides a form which Data Users may use to request the decision of a Data Trustee is reconsidered or to report any concerns they have.
3.3 Investigative and Legal Access
Electronic information may be Accessed by Authorized Individuals to preserve, search, and review information in connection with:
- Threatened or pending litigation, including without limitation to comply with federal and state e-discovery rules;
- Governmental or law enforcement investigations;
- Legal processes;
- Subpoenas and court orders;
- Brown University investigations; and
- Brown University audit functions.
Brown’s Office of the General Counsel (OGC) reviews all investigation requests and provides written authorization to the Data Trustee before any Electronic Information is Accessed. Once authorization has been granted, the investigating department may work directly with the Data Trustee’s organization, unless OGC has indicated otherwise.
3.4 Emergency Access
In response to exigent situations presenting threats to the safety of the campus or to the life, health, or safety of any person, any Authorizing Official may grant Authorized Individual(s) emergency Access to necessary Electronic Information. The Authorizing Official must remain actively engaged with the Authorized Individual(s) for the duration of the emergency Access, providing prompt answers to any questions that may arise.
At the earliest opportunity, the Authorizing Official must notify the Data Trustee of the emergency Access by providing them with a copy of the documentation of the request, as detailed above in the non-routine Access section.
For the purpose of this policy, the terms below have the following definitions:
Review, use, or disclosure of content or activity data that is beyond the incidental contact with Electronic Information in the course of providing Information Technology Resources. For the avoidance of doubt, mere preservation of Electronic Information is not considered Access until review or disclosure occurs.
- Authorized Individual:
A person who has been granted Access to certain Electronic Information. This Access may be required on an ongoing basis in order to perform their job. In this case, the Access will be associated with a particular job function and is granted, monitored, and audited by the Data Trustee. In other cases, this Access may be granted for a short period of time by an Authorizing Official in order to perform a specific task.
- Authorizing Official:
A Brown University Presidential Cabinet member or designee whose responsibilities include oversight of certain constituencies (i.e. alumni, faculty, staff, and students). They are integral to deciding when exceptions should be granted to allow Non-Routine Access to Electronic Information.
- Brown Owned:
Anything purchased with Brown administered funds, including funds derived from Brown University budgets and external grants.
- Data Arbiter:
The person responding to a non-routine Electronic Information Access request. In most cases this will be the Data Trustee or their designated backup. If neither are available, then the request may be made to the CIO or, as a last resort, an Authorizing Official.
- Data Custodian:
A system administrator or other technical professional who is responsible for some aspect of the management and operation of any of the systems that serve as sources of institutional Electronic Information.
- Data Governance Committee:
A committee composed of faculty and staff whose purpose is to establish clear Electronic Information definitions, develop comprehensive policies, oversee documentation by which Brown University departments collect, steward, disseminate, and integrate Electronic Information on behalf of Brown University.
- Data Requester:
The person or persons who make an Electronic Information Access request.
- Data Steward:
A staff member with oversight responsibility for a subset of the Brown University's Electronic Information. The steward is typically a functional end user within an operational area who is deemed an expert regarding Electronic Information managed by that operational area.
- Data Trustee:
A senior Brown University administrator with significant responsibility for an operational area that uses a system/application serving as an authoritative source of Electronic Information relied upon by the Brown University community.
- Data User:
An individual who has Access to Brown University Electronic Information as part of assigned duties or in fulfillment of assigned roles or functions within the Brown University community.
- Electronic Information:
Often referred to as Electronically Stored Information (ESI). Any documents or information stored, in electronic form, on or sourced from Information Technology Resources. Common examples include: documents, spreadsheets, digital photographs, videos, communications (emails and their attachments, instant messages), voicemails, logs, data stored in Brown funded or contracted cloud services, data stored on Brown Owned devices, including, but not limited to: laptops, desktops, cell phones, and servers.
- Information Technology Resources:
Brown-owned facilities, technologies, and information resources used for Brown University processing, transfer, storage, and communications. Included, without limitations, in this definition are computer labs, classroom technologies, computing and electronic devices and services, email, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are Brown-owned, leased, operated or provided by Brown or otherwise connected to Brown resources, such as cloud and Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or any other connected/hosted service.
All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure compliance with it.
5.1 Authorizing Officials
Authorizing Officials are responsible to determine whether or not to grant Access. Upon making a decision to grant Access they must provide written authorization to the Data Trustee and/or Data Steward with explicit instructions as to the scope of the request and delivery instructions, in most cases following predefined procedures.
The following positions have been designated as Authorizing Officials over the various constituencies:
- Vice President for Research
- Vice President of Human Resources
- Dean of the College
- Dean of Engineering
- Dean of the Graduate School
- Dean of the School of Professional Studies
- Dean of the School of Public Health
- Senior Vice President for Health Affairs, Dean of Medicine and Biological Sciences
- Vice President for Campus Life and Student Services
- Senior Vice President for Advancement
- Vice President for Information Technology and Chief Information Officer (CIO)
- Executive Vice President for Finance and Administration
- Vice President and General Counsel
5.2 Data Trustee
The Data Trustee is ultimately responsible for safeguarding Access to data under their oversight. They define who may be granted routine Access to data, are responsible for defining the guidelines under which the Data Steward may operate and make operational decisions regarding data Access, monitoring the use of the data, and for performing routine audits to ensure Access to the data is appropriate.
They are the first point of contact for non-routine Access requests to data which is under their oversight. If the request for non-routine Access did not originate from an Authorizing Official, the Data Trustee is responsible for obtaining supporting authorization for any actions taken. They are responsible for ensuring the data Access request is properly documented.
5.3 Data Steward
Using guidelines developed by the Data Trustee, Data Stewards may be delegated responsibility to make day-to-day operational decisions.
For non-routine or emergency Access requests, they help the Data Trustee ensure the request is reasonable, help develop the required documentation, and often provide oversight in gathering and delivering the results.
5.4 Data Custodian
At the direction of the Data Trustee and/or Data Steward the Data Custodian arranges for Access within the requested scope and then provides a copy of the data as requested.
5.5 Data Governance Committee
The Data Governance Committee provides a means by which Data Users may request reconsideration of a Data Trustee’s decision or report any concerns they have. Data Users should use the Data Governance Committee Form for reconsideration requests or to report concerns.
6.0 Consequences of Violating this Policy
Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with Brown University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures, or for non-employees may result in the suspension or revocation of the third party’s relationship with Brown University.
Individuals are also subject to federal, state, and local laws governing many interactions that occur on the Internet. These policies and laws are subject to change as state and federal laws develop and change.
7.0 Related Information
Brown University is a community in which employees are encouraged to share workplace concerns with Brown University leadership. Additionally, Brown University’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).
The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.
7.1 Related Policies:
7.3 Related Forms:
7.4 Frequently Asked Questions (FAQs):