Security Incident
Report Problem
VPN
Login to vpn@ucsf
Help
Login to help@ucsfUCSF Implementation of the ECP - Access without Consent
Access Without Consent to Electronic Communications Records
A. Authorization
An electronic communication holder's records may be inspected, monitored, or disclosed without the consent of the individual but with the approval of the authorizing Vice Chancellor (see Appendix A, Definitions) under the following conditions:
- When required by and consistent with law
- When there is a substantiated reason to believe that violations of law or University policies have taken place (see Appendix C, policies relating to non-consensual access)
- When there are compelling circumstances (see Appendix A, Definitions)
- Time-dependent, critical operational circumstances (see Appendix A, Definitions)
Electronic communication records that have been subpoenaed will be disclosed, as appropriate, with the approval of Campus Counsel.
B. Procedures
Before accessing an electronic communication without consent, this form must be completed. The completion of this form documents that proper procedures have been followed before an electronic communication is accessed without the consent of the electronic communication holder.
B.1 Access Without Consent
The procedures below defines the requirements for authorizing the inspection, monitoring, or disclosure of electronic communication records without the consent of the electronic communication holder. Overall Requirement For any request for access without consent, this form must be completed. This form is used to document the review process for all access without consent. Without completing this form, access without consent cannot be granted under any circumstances.
Request for Access to Electronic Communication Records
- The person requesting access to the electronic communication record(s) will complete the Requestor section of the form, and send it to the department head of the affected electronic communication holder. If the requestor is a department head, then the request must be sent to the department head's supervisor.
- The department head will complete the Department Head section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records. If the Department Head approves the request, s/he will send the form to Campus Counsel for further authorization. If the Department Head does not approve of the request, the denial will be indicated on the form, and returned to the requestor.
- Campus Counsel will complete the Campus Counsel section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records. If Campus Counsel approves the request, that will be indicated on the form, and the form will be sent to the appropriate Vice Chancellor. Staff requests will be sent to the Vice Chancellor of Finance and Administration; Academic appointee and student requests will be sent to the Vice Chancellor of Academic Affairs. Denied requests will be returned to the Department Head, who will communicate the denial to the requestor and send a copy of the tracking form to OAAIS/EIS UCSF Box 0707.
- The authorizing Vice Chancellor will complete the Vice Chancellor section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records. Approved requests will be sent to the Department Head, who will ensure that the records are accessed as requested. The Access to the Requested Electronic Communication Record section of the form will be completed once access to the records has been completed. Denied requests will be returned to the Department Head, who will communicate the denial to the requestor and send a copy of the tracking form to OAAIS/EIS, UCSF Box 0707.
The completed form must be sent to OAAIS, Enterprise Information Security, UCSF Box 0707, for summary reporting.
B.2 Emergency Circumstances
In emergency circumstances (see Appendix A, Definitions), records may be inspected, monitored, or disclosed without the prior consent of the authorizing Vice Chancellor. The least perusal and the least action necessary to resolve the emergency may be taken immediately without consent; however, proper authorization must then be sought and documented without delay. The form must be used to document the post-authorization of emergency access to electronic communication records without prior consent of the individual. The procedures below define the requirements for authorizing the inspection, monitoring, or disclosure of electronic communication records under emergency circumstances:
- The department head will seek the approvals of Campus Counsel and the authorizing Vice Chancellor, which will be documented by their signatures in the appropriate sections of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records
- When the electronic communication records are accessed, that access will be documented in the Access to the Requested Electronic Communication Record section of the UCSF Tracking Form for Access Without Consent to Electronic Communication Records.
- If it is lawful to do so, the department head will notify the electronic communication holder that the record(s) have been inspected, monitored, or disclosed.
The completed form must be sent to the Office of Academic and Administrative Information Systems (OAAIS), UCSF Box 0704, for summary reporting.
C. Recourse After Inspection, Monitoring, or Disclosure Without Consent
Under both the normal and emergency procedures defined above, the electronic communication holder may appeal the decision of a department head or the authorizing Vice Chancellor through UCSF personnel procedures.
D. Annual Reporting
The Office of Academic and Administrative Information Systems (OAAIS) will annually produce a report of summary non-consensual access statistics with no information about individual cases, and shall be posted on the web so the data will be available to the University community and the public. See Attachment 2, page 7 for UC reporting requirements.