Procedure for Third Party Access
Topic: Third-Party Access
Audience: Students, Faculty and Staff
Creation Date: January 24, 2008
Last Revision Date: June 26, 2016
Author: Theresa Rowe
University Technology Services periodically receives requests for third-party access to a university-assigned individual account. Examples of such requests are:
- Supervisor requesting access to an email account, file share, calendar, documents, or voice-mail of a former employee or soon to be former employee.
- Supervisor requesting access to an email account, file share, calendar, documents, or voice-mail of a current employee on leave of absence or vacation.
- University officials (OUPD, Student Affairs, etc.) or external agencies requesting access to email or other documents to conduct an investigation or respond to legal request.
- Requests for access to deceased person’s electronic data.
These examples are not intended as an exhaustive list. The common factor is the request to provide access to an individually assigned account or access to materials stored in that account to individuals who are not the account owner. Individuals are assigned account login identities and passwords, such as NetID. UTS regards electronic data, records and communications as equivalent to other physical materials and will typically handle release with comparable control mechanisms. Communications require the highest standard of privacy, and we seek to maintain the implied confidentiality agreement. The accounts have a specific service life, depending on relationship to the university and the access control. Information about the life of an account is located at http://www.oakland.edu/uts/accounts.
Where email is concerned, it must be noted that account access applies to all accounts accessed by NetID. There is no way to limit access to just email. Once third party access is allowed, the third party may access email, calendar, Moodle, library materials, and all other services authenticated by that account. There is no way to hide the fact that the account was accessed by a third party; the password is changed and the fact that there was access is transparent.
Requests for third-party access involve a person other than the assigned individual (the account owner) using the assigned identity to log into the account or requests to extract materials from the account to provide to a third-party. This third-party access procedure was developed in compliance with Policy #890 Use of University Information Technology Resources, acknowledging statements of privacy and the high standard for accessing accounts and communications without the authorization of the account owner.
In all cases, such access cannot be provided without the advance written authorization from the Office of Legal Affairs. Authorization must clearly approve access to all services, not just email. In some cases, accounts may provide access to systems or applications that are not hosted on campus; in those cases, contract review may be required to determine an acceptable release process. Access must clearly state whether the account credentials are to be provided to the third-party or if material is to be extracted from the accounts, reviewed by Legal Affairs, and subsequently provided to the third-party.
University Technology Services prefers that an employee, prior to departure, use auto-responding and voice-mail messages, notices, and forwarding tools. For email, one can find information on the implementation and usage of such tools within email help. The supervisor and the employee should both make every attempt to work out such access issues prior to the departure of the employee.
University Technology Services will comply with third-party access requests under the following guidelines:
Nature of the Request
If the access request is in conjunction with an investigation initiated through the Office of Legal Affairs or in conjunction with a deceased person, the Office of Legal Affairs must first clear and approve all access and communications. The legal status of the contents of a deceased person's online accounts may be considered estate property, similar to contents in a dorm room or assigned workspace, or it may be university property in the form of university information assets. UTS will work with Legal Affairs to determine who is authorized to take custody of the online property.
A request for access and/or possession of the electronic data of a deceased person should be made to the appropriate office.
- If the deceased person is a student, requests should be made to the Dean of Students.
- If the deceased person is an employee, requests should be made to the appropriate employment office, either University Human Resources or Academic Human Resources.
The department chair will first make reasonable efforts to contact the faculty member and notify the faculty member of the action. Approval must be obtained from the Academic Human Resources staff in the Office of the Provost and the department chair. If approved, those offices will send the request to the Office of Legal Affairs. The approved request for access must be sent to the firstname.lastname@example.org .
Other University Employees
The employee’s supervisor, department head, or University Human Resources representative will make reasonable efforts to contact the employee and notify the employee of the action. Approval must be obtained from the University Human Resources, the employee’s supervisor, followed by the Office of Legal Affairs. The approved request for access must be sent to the email@example.com .
Approval must be obtained from the Dean of Students, followed by the Office of Legal Affairs. The Dean of Students will communicate with the student as appropriate. The approved request for access must be sent to firstname.lastname@example.org .
Please note that in the case of overlapping relationships (i.e., an individual is an employee and student at the same time), all relevant approvals must be received.
If the request is in conjunction with an investigation authorized by the Office of Legal Affairs, UTS will take steps to preserve all communications, files, and logs in compliance with that request. Materials will be sent to the Office of Legal Affairs. UTS will comply with the retention period defined by the Office of Legal Affairs.
UTS will work with the supervisor to implement an auto-responding message to the employee’s email account such that anyone sending the employee email will receive a message that the person is either no longer at the university or that the employee is on leave from the university. The message will also state that messages are being forwarded to an email address specified by the supervisor or department head and important information should be sent directly to that email address. The text will be developed with the supervisor.
UTS will work with the supervisor to consider appropriate telephone transitions. UTS staff will provide access to needed files.