University of Glasgow - MyGlasgow - IT - Information Security - Policies

Extraordinary Circumstances IT Access Policy

1. Purpose

This policy provides legitimacy and clear guidance as to the circumstances and procedure under which access to a University IT account can be approved without the explicit consent of the user.

For the avoidance of doubt, where an absent user is able and willing to access and provide information then where appropriate, an attempt to contact them should be considered. This should be considerate of the absent user's circumstances. If the absent user is unable to access their account remotely, or it is inappropriate to request that they do, this policy sets out the circumstances in which an appropriate member of staff can be authorised.

2. Scope

All users of University ICT, and all information systems such as network filestore, email, desktop or laptop computers and any other device or data storage media owned by the University of Glasgow.

3. Criteria for allowing access

Access without a user’s consent to an IT account is only permitted in the following situations:

where necessary to meet the University’s legitimate business interests e.g to enable the continuity of teaching, research or administrative business when a user is on unplanned absence such as incapacitating illness or compassionate leave, or has left the University without proper leavers procedure being followed
where it is in the vital interests of an individual e.g if there are significant concerns regarding a user's personal safety
to satisfy the University's legal obligations e.g a valid court order is received
for disciplinary purposes where accusations of gross misconduct are being investigated Permission to allow access will only be approved when a request is received from the Head of School / Institute / University Services Division, containing a fully detailed case for why access is required

4. Formal Request Procedure

Where a legitimate criterion has been identified, the Head of School / Institute / University Services Division must contact the IT Services Helpdesk in writing (email is suitable) requesting access. The request must include:

The identity of the user (name and staff number)
Details of the information in question (be as specific as possible)
The case for why access is required
The named member of staff to be allowed temporary access, and an additional member of staff witnessing
The expected period of time that access is required

IT Services will assess the request to ensure it complies with this and any other relevant policies, and discuss with the requestor, providing advice as appropriate. In certain cases, e.g where the response may be unclear, IT Services may refer the request to an appropriate University authority. Where access is approved, IT Services will provide the delegated staff member with access to the required information.

5. Access Procedure

In addition to the delegated staff member, another individual must be present to witness what is being accessed.

A schedule of what information has been accessed will be recorded by the delegated staff member, and made available on request to the Head of School or Service.

Only University information should be accessed. Anything which appears to be of a personal nature should remain unopened. If this happens inadvertently, this should be recorded.

Emails should not be replied to from within an absent user’s account. Where appropriate, an out-of-office message should be placed on a user’s mailbox or delegated permissions configured for the duration of their absence.

Once the access is complete, IT Services must be informed so all temporary arrangements can be removed.

Where appropriate (such as return to work), the user must be given a copy of the record of what information was accessed, and made aware of any outstanding work regarding it.

6. Guidance for Users

Staff should be aware that their IT account may be accessed during unexpected or long-term absences.

To avoid any disclosure of personal data where University information is being accessed, users are advised that any personal emails should be headed "Personal" in the subject line and/or moved to a separate folder named "Personal", so that whoever might be assigned to check their emails will know not to open these messages.

Please note that personal correspondence may still be accessed in certain disciplinary situations, or in the vital interests of an individual.

7. Further Info

For further information, help and advice, please contact IT Services:

IT Services
ithelpdesk@glasgow.ac.uk
Ext. 4800


Title:	Extraordinary Circumstances IT Access Policy
Status:	Approved by IGG
Last update:	2016-12-16
Last review:	-

We use cookies

Necessary cookies

Analytics cookies

Clarity