Electronic Information Privacy
[The following was approved by the Board of Trustees of Southern Illinois University on July 14, 1994, with ammendments on March 13, 2003 and appears as SIU Board of Trustees 5 Policies J.]
Southern Illinois University takes justifiable pride in the electronic information systems provided to its faculty, staff, and students. These resources include computer systems, university-owned computers and work stations, software, data sets, and communications networks. Members of the university community may use these resources only for purposes related to their studies, instruction, the discharge of duties as employees, official business with the university, or other university-sanctioned activities. Any other use, unless specifically authorized, is prohibited.
Access to the university's electronic information systems is a privilege to which all university faculty, staff, and students may be entitled to some degree. Certain responsibilities accompany that privilege; understanding them is important for all users. Those within the university community who make use of these resources are subject to high standards of ethics to insure the privacy, security, and proper use of data. Recognized as a primary educational, research, and administrative asset, the university's electronic information systems should be protected from unauthorized modification, destruction, disruption or disclosure-whether accidental or intentional.
User Responsibility for Security of Stored Information
The user is responsible for correct and efficient use of the tools each electronic information system provides for maintaining the security of stored information.
- Individual users to whom computer accounts, passwords, and other types of security authorizations have been assigned must obey any express restrictions on disclosure of such authorizations to others. No otherwise authorized disclosure may be made until the proposed recipient of the disclosure has demonstrated familiarity with the security requirements for usage of the authorizations and agreed to comply with them.
- The user must strive to understand the level of protection each electronic information system automatically applies to files and supplement that protection, if necessary, for sensitive information.
- The microcomputer user must be aware of computer viruses and other destructive computer programs, and take steps to avoid being either their victim or propagator by using up-to-date anti-virus software.
- Use of computers by individuals implies that they accept responsibility for protecting any information (processed and/or stored under directories or accounts assigned to them) which is derived from restricted, licensed, or proprietary information.
Confidentiality of Stored Information
- Information stored on electronic information systems is considered confidential, whether protected by the computer system or not, unless the owner intentionally makes that information available to other groups or individuals. The university assumes that computer users wish the information they store on central and campus shared computing resources to remain confidential.
- Requests for the disclosure of confidential information outside the university will be governed by the provisions of law, including but not limited to the Family Educational Rights and Privacy Act of 1974, the State Records Act, and the Illinois Freedom of Information Act. All such requests will be honored only when approved by university officials who are the legal custodians of the information requested, or when required by state or federal law or court order. A current statute which protects the electronic mail users is the federal Electronic Communications Privacy Act of 1986. This law basically protects messages while in transmission on a public mail service as well as after messages are received and stored on that service.
Computing and networking resources may be used only in accordance with accepted university practice. Examples of inappropriate and unacceptable use of computing and networking resources include
- harassment of other users;
- destruction of or damage to equipment, software, or data belonging to the university or other computer and networking users;
- disruption or unauthorized monitoring of electronic communications;
- violations of computer system security;
- unauthorized use of computer accounts, access codes, or network identification numbers assigned to others;
- use of computer and/or network facilities in ways that impede the computing activities of others;
- use of computing facilities for personal or business purposes unrelated to the mission of the university;
- violation of copyrights and software license agreements;
- violation of the usage policies and regulations of the networks of which the university is a member or which at least has authority to use;
- violation of another user's privacy;
- academic dishonesty such as plagiarism or cheating;
- accessing, or attempting to access, another individual's or entity's data or information without proper authorization regardless of the means by which this access is attempted or accomplished;
- giving another individual the means to access data or information they are not authorized to access;
- obtaining, possessing, using, or attempting to use passwords or other information about someone else's account;
- inspecting, modifying, distributing or copying data, mail messages, or software without proper authorization, or attempting to do so;
- tapping phone or data lines.
The university considers electronic mail to be a confidential, direct communication between sender and receiver(s). Accordingly, it should not be monitored, observed, viewed, displayed, or reproduced in any form by anyone other than the sender or intended recipient(s). E-mail users should exercise the same restraint and caution in drafting messages that they would when writing a formal memorandum using university letterhead and assume that their messages will be saved and be seen by someone other than the original addressee.
Electronic mail may be disclosed to others with a need to know under law and university policy. Examples include
- incidental disclosure to technicians or supervisors during maintenance or repair procedures;
- disclosure to internal or external auditors pursuant to their audit programs;
- disclosure to adverse parties in civil lawsuits pursuant to mandated discovery procedures, or to attorneys for the university for use in preparing a defense against such suits;
- disclosure to administrative, regulatory, or law enforcement authorities discharging their mandated functions, or to attorneys for the university for use in defending against charges or sanctions;
- disclosure made for the purpose of resolving internal disputes including but not limited to those arising under grievance policies; parking and traffic regulations; student conduct codes; academic admissions, retention, grading and degree awards policies or practices; patent and copyright policies; indemnification policy liability and self-insurance programs; electronic information systems policies, and any external appeals of unresolved internal disputes.
Violation of the policies described herein for use of computing resources will be dealt with seriously. Violators are subject to disciplinary procedures of the university and, in addition, may lose computing privileges. Illegal acts involving the university's computing and networking facilities may also be subject to prosecution by state and federal authorities.