Procedure for Third Party Access
Topic: Third-Party Access
Audience: Students, Faculty and Staff
Creation Date: January 24, 2008
Last Revision Date: September 7, 2017
University Technology Services periodically receives requests for third-party access to a university-assigned individual account. Examples of such requests are:
- Supervisor requesting access to an email account, file share, calendar, documents, or voice-mail of a former employee or soon to be former employee.
- Supervisor requesting access to an email account, file share, calendar, documents, or voice-mail of a current employee on leave of absence or vacation.
University officials (OUPD, Student Affairs, etc.) or external agencies requesting access to email or other documents to conduct an investigation or respond to legal request. The authority to conduct an investigation must be reviewed first.
- Requests for access to deceased person’s electronic data.
These examples are not intended as an exhaustive list. The common factor is the request to provide access to an individually assigned account or access to materials stored in that account to individuals who are not the account owner. Individuals are assigned account login identities and passwords, such as NetID. UTS regards electronic data, records and communications as equivalent to other physical materials and will typically handle release with comparable control mechanisms. Communications require the highest standard of privacy, and we seek to maintain the implied confidentiality agreement. The accounts have a specific service life, depending on relationship to the university and the access control. Information about the life of an account is located at http://www.oakland.edu/uts/accounts.
Where email is concerned, it must be noted that account access applies to all accounts accessed by NetID. There is no way to limit access to just email. Once third party access is allowed, the third party may access email, calendar, Moodle, library materials, and all other services authenticated by that account. There is no way to hide the fact that the account was accessed by a third party; the password is changed and the fact that there was access is transparent.
Requests for third-party access involve a person other than the assigned individual (the account owner) using the assigned identity to log into the account or requests to extract materials from the account to provide to a third-party. This third-party access procedure was developed in compliance with Policy #890 Use of University Information Technology Resources, acknowledging statements of privacy and the high standard for accessing accounts and communications without the authorization of the account owner.
In all cases, such access cannot be provided without the advance written authorization from the Office of Legal Affairs. Authorization must clearly approve access to all services, not just email. In some cases, accounts may provide access to systems or applications that are not hosted on campus; in those cases, contract review may be required to determine an acceptable release process. Access must clearly state whether the account credentials are to be provided to the third-party or if material is to be extracted from the accounts, reviewed by Legal Affairs, and subsequently provided to the third-party.
University Technology Services prefers that an employee, prior to departure, use auto-responding and voice-mail messages, notices, and forwarding tools. For email, one can find information on the implementation and usage of such tools within email help. The supervisor and the employee should both make every attempt to work out such access issues prior to the departure of the employee.
Please note there are four status levels on a NetID account closure:
- NetID account lock and password scramble: The password for the NetID account is scrambled and not disclosed to the individual. The Google password is scrambled and "Reset Sign-In Cookies" is cleared to log user out of all active sessions. The individual no longer has access, so auto-response and message forwarding must be set up prior to the NetID account lock. The individual cannot reset the password to regain access to the account; password reset is disabled. This method of password scrambling may be useful for very short time periods when an auto-response or auto-forward is desired on an employee account. This is typically an unusual employee situation and the employee is still active in Banner as an employee. The NetID account is locked until deleted by normal account termination processes. The Gmail account is manually set to process email to allow for temporary auto-response messages and email forwarding for a limited time, until the employee is officially terminated. Auto-response message is required and must state that the employee is no longer at the university to prevent misleading a person sending the email to the account. Normal termination processes follow and terminate the account at an identified future date within contract terms. The request for this process must be submitted by the supervisor and approved by University Human Resources prior to employee departure.
Account Suspended: A Suspended User creates a locked account. A locked is preserved, but no new mail is received. Instead, a message that the "Message Was Not Delivered" will be returned to the message sender. Therefore, since no message was received by the account, no auto-response or auto-forward will be generated. This action closes the account in preservation status for specific review, investigation, or security issues.
- Account termination: These accounts are ended with the employee termination or change of student status, and the accounts are deleted according to the relationship schedule. Accounts are not recoverable.
- Preservation Hold: This is a specific Google status. When a Google account is placed on preservation hold status, the data are preserved indefinitely until the hold is removed. Data are preserved in Google Vault. The user may continue to use services as normal, but all data are preserved in Vault. Use of a Preservation Hold requires advance approval from the Office of Legal Affairs.
University Technology Services will comply with third-party access requests under the following guidelines:
Nature of the Request
If the access request is in conjunction with an investigation initiated through the Office of Legal Affairs or in conjunction with a deceased person, the Office of Legal Affairs must first clear and approve all access and communications. The legal status of the contents of a deceased person's online accounts may be considered estate property, similar to contents in a dorm room or assigned workspace, or it may be university property in the form of university information assets. UTS will work with Legal Affairs to determine who is authorized to take custody of the online property.
A request for access and/or possession of the electronic data of a deceased person should be made to the appropriate office.
- If the deceased person is a student, requests should be made to the Dean of Students.
- If the deceased person is an employee, requests should be made to the appropriate employment office, either University Human Resources or Academic Human Resources.
The department chair will first make reasonable efforts to contact the faculty member and notify the faculty member of the action. Approval must be obtained from the Academic Human Resources staff in the Office of the Provost and the department chair. If approved, those offices will send the request to the Office of Legal Affairs. The approved request for access must be sent to the firstname.lastname@example.org .
Other University Employees
The employee’s supervisor, department head, or University Human Resources representative will make reasonable efforts to contact the employee and notify the employee of the action. Approval must be obtained from the University Human Resources, the employee’s supervisor, followed by the Office of Legal Affairs. The approved request for access must be sent to the email@example.com .
Approval must be obtained from the Dean of Students, followed by the Office of Legal Affairs. The Dean of Students will communicate with the student as appropriate. The approved request for access must be sent to firstname.lastname@example.org .
Please note that in the case of overlapping relationships (i.e., an individual is an employee and student at the same time), all relevant approvals must be received.
If the request is in conjunction with an investigation authorized by the Office of Legal Affairs, UTS will take steps to preserve all communications, files, and logs in compliance with that request. Materials will be sent to the Office of Legal Affairs. UTS will comply with the retention period defined by the Office of Legal Affairs.
UTS will work with the supervisor to implement an auto-responding message to the employee’s email account such that anyone sending the employee email will receive a message that the person is either no longer at the university or that the employee is on leave from the university. The message will also state that messages are being forwarded to an email address specified by the supervisor or department head and important information should be sent directly to that email address. The text will be developed with the supervisor.
UTS will work with the supervisor to consider appropriate telephone transitions. UTS staff will provide access to needed files.