Emergency Access to Accounts and Information

1.0 Introduction
2.0 Procedures
2.1 Emergency Information Access Due to Urgent University Business
2.2 Procedure for Accessing an Employee's Existing Mail or Files Stored on University Servers
2.3 Emergency Information Access in Response to a Court Order or Other Compulsory Legal Process
2.4 Account Access to an Unavailable Employee's Email
3.0 Related Policies and Links

1.0 Introduction

Brown offers electronic services to its computer users to perform work for the University in support of its mission.

While efforts are made to ensure reasonable expectations of privacy for Brown University computer users, legitimate reasons will arise that require access to information held on Brown workstations, servers or peripherals. These exceptions may be required based on legal action (such as a court order), may involve the health and/or safety of an individual or group, or be prompted by urgent University business needs.

Should an individual user be unavailable or unable to provide permission to access it, and if circumstances supersede the right to privacy, University access without the owner's permission will be provided with the approval of an authorized University official as described in the following procedures.

2.0 Procedures

2.1 Emergency Information Access due to Urgent University Business

When business needs require access to employee electronic information – whether stored in a personal mailbox, personal network space, on a personal hard drive, and/or backups of these – and the information owner is unavailable, an authorized University officer (see section 2, item #1 below) should email the Chief Information Security Officer (CISO) at Computing and Information Services (or designee) at ISG@brown.edu, who will review the request and authorize the specific access as necessary.

Examples of an employee's inability to provide consent include, but are not limited to the following:

  • Administrative leave
  • An employee leaves unexpectedly and ends up on a prolonged absence
  • An employee is suddenly terminated for cause
  • An employee is incapacitated for some reason and emergency access is required

2.2 Procedure for Accessing an Employee's Existing Mail or Files Stored on University Servers

  1. A department head sends an email request to ISG@brown.edu with the name of the person who requires access, the name of the employee whose existing information is to be exported, and specifics as to what information is needed. Outside of business continuation needs, the CISO will seek approval from a senior University official, such as:
    »Public Safety Chief of Police
    »Director of Brown University Health Services or Psychological Services
    »Vice President for Campus Life and Student Services (for students)
    »Provost (for faculty)
    »Vice President of Administration or Assistant Vice President of Human Resources (for staff)
  2. a) The CISO receives the approved request in email, verifies authorization from the appropriate University officer, and talks directly to the appropriate technical administrator (who will provide access to the information) and will also create a Remedy request*, assigning the ticket to the administrator.
    b) If the information is not accessible by CIS and is stored on a local server or personal hard drive, the CISO will coordinate efforts with local IT support personnel to obtain the requested information and convey it to the authorized requestor.
  3. The CIS technical administrator exports or provides access to the requested information, then works through the CISO to arrange for a transfer of the information to the requestor. If the request is for email messages, the requestor must specify which mailboxes contain the required information (Inbox, Sent Mailbox, etc.).
  4. The CIS technical administrator records what was done* and then closes the ticket.
  5. The CISO follow instructions from Authorized officers regarding the preservation and archival of requested data, and will document the request, disclosure details, the name and title of the requestor, and the reason for the emergency request. 

* No confidential information is ever to be stored in the Remedy Ticketing System. Requests must be modified to ensure confidentiality

2.3 Emergency Information Access in Response to a Court Order or Other Compulsory Legal Process

Any request for access to electronic information at Brown in support of legal actions must be immediately forwarded to Brown's Office of General Counsel (863-9900). Brown's legal representatives will guide any further actions by Brown employees.

2.4 Account Access to an Unavailable Employee's Email

When an employee is unavailable to receive and respond to email and urgent business needs require continuity of communication, the employee's supervisor may request that an "Out of Office" message be placed on the employee's email account.

Procedure for Creating an "Out of Office" message for an Unavailable Employee's Email Account
  1. The requestor's department head sends the request in email to ISG@brown.edu, including such details as the name of the email account owner who needs the Out of Office message added to their mailbox, and the text of that message.
  2. For terminated employees, it is also important to know how long the Out of Office message should be in place (usually two weeks to 30 days).
  3. The CISO receives the approved request and confers with the requestor. If the request is approved, the CISO works with Computing Accounts and Passwords (CAP), and CAP will create a Remedy request.
  4.  CAP confidentially accesses the mailbox for the sole purpose of creating and enabling the Out of Office message.
  5. CAP notifies the CISO and the original requestor, schedules the removal of the Out of Office message, and then closes the ticket.

3.0 Related Policies and Links

Electronic Email Policy
Computing Privileges
Computing Accounts Management Policy
Form to Request Privileged Access
Students Rights and Responsibilities: Family Educational Rights and Privacy Act
(specifically, section on "Consent to Disclosure and Disclosure Without Consent")

Questions or comments to: ITPolicy@brown.edu

Interim Policy Effective Date: November 10, 2004
Policy Approved: May 23, 2007
Last Reviewed: July 7, 2013