Procedure for Third Party Access
Topic: Third-Party Access
Audience: Students, Faculty and Staff
Creation Date: January 24, 2008
Last Revision Date: June 6, 2013
Author: Theresa Rowe
University Technology Services periodically receives requests for third-party access to an account. Examples of such requests are:
- Supervisor requesting access to an e-mail account, file share, calendar, or voice-mail of a former employee or soon to be former employee.
- Supervisor requesting access to an e-mail account, file share, calendar, or voice-mail of a current employee on leave of absence or vacation.
- University officials (OUPD, Student Affairs, etc.) requesting access to e-mail to conduct an investigation.
- Requests for access to deceased person’s electronic data.
These examples are not intended as an exhaustive list. The common factor is the request to access an account by individuals who are not the account owner. Individuals are assigned account login identities and passwords, such as NetID. UTS regards electronic data, records and communications as equivalent to other physical materials and will typically handle release with comparable control mechanisms. Communications require the highest standard of privacy, and we seek to maintain the confidentiality agreement. The accounts have a specific service life, depending on relationship to the university and the access control. Information about the life of an account is located at http://www.oakland.edu/uts/accounts.
In all cases, it must be noted that account access applies to all accounts accessed by NetID. There is no way to limit access to just email. Once third party access is allowed, the third party may access email, calendar, Moodle, and all other services authenticated by that account. There is no way to hide the fact that the account was accessed by a third party; the password is changed and the fact that there was access is transparent.
Requests for third-party access involve a person other than the assigned individual (the account owner) using the assigned identity to log into the account. This third-party access procedure was developed in compliance with Policy #890 Use of University Information Technology Resources, acknowledging statements of privacy and the high standard for accessing accounts and communications without the authorization of the account owner.
In all cases, such access cannot be provided without the advance written authorization from the Office of Legal Affairs. Authorization must clearly approve access to all services, not just email.
University Technology Services prefers that an employee, prior to departure, use auto-responding and voice mail messages, notices, and forwarding tools. For e-mail, one can find information on the implementation and usage of such tools within e-mail help. The supervisor and the employee should both make every attempt to work out such access issues prior to the departure of the employee.
University Technology Services will comply with third-party access requests under the following guidelines:
Nature of the Request
If the access request is in conjunction with an investigation initiated through the Office of Legal Affairs or in conjunction with a deceased person, the Office of Legal Affairs must first clear and approve all communications.
A request for access and/or possession of the electronic data of a deceased person should be made to the appropriate office.
- If the deceased person is a student, requests should be made to the Dean of Students.
- If the deceased person is an employee, requests should be made to the appropriate employment office, either University Human Resources or Academic Human Resources.
The department chair will first make reasonable efforts to contact the faculty member and notify the faculty member of the action. Approval must be obtained from the Academic Human Resources staff in the Office of the Provost and the department chair. If approved, those offices will send the request to the Office of Legal Affairs. The approved request for access must be sent to the firstname.lastname@example.org .
Other University Employees
The employee’s supervisor, department head, or University Human Resources representative will make reasonable efforts to contact the employee and notify the employee of the action. Approval must be obtained from the University Human Resources, the employee’s supervisor, followed by the Office of Legal Affairs. The approved request for access must be sent to the email@example.com .
Approval must be obtained from the Dean of Students, followed by the Office of Legal Affairs. The Dean of Students will communicate with the student as appropriate. The approved request for access must be sent to firstname.lastname@example.org
Please note that in the case of overlapping relationships (i.e., an individual is an employee and student at the same time), all relevant approvals must be received.
If the request is in conjunction with an investigation authorized by the Office of Legal Affairs, UTS will take steps to preserve all communications, files, and logs in compliance with that request. Materials will be sent to the Office of Legal Affairs. UTS will comply with the retention period defined by the Office of Legal Affairs.
UTS will work with the supervisor to implement an auto-responding message to the employee’s e-mail account such that anyone sending the employee e-mail will receive a message that the person is either no longer at the university or that the employee is on leave from the university. The message will also state that messages are being forwarded to an e-mail address specified by the supervisor or department head and important information should be sent directly to that e-mail address. The text will be developed with the supervisor.
UTS will work with the supervisor to consider appropriate telephone transitions. UTS staff will provide access to needed files.