Access Authorization Procedure

VPOC approval received Monday December 8, 2014

Purpose/Reason for This Procedure:

Exceptional circumstances may make it necessary to access the contents of University resources that have been allocated to a specific employee or student ("Account Holder").  This Procedure establishes the authorization required for providing such access to other than the assigned user.

For the purposes of the procedure, IT resources include but are not limited to individual accounts for using the University's:

  • Email and Calendar services,
  • Telephone and Voicemail services,  
  • Storage and Backup services including OneDrive and Active Directory File share, and
  • other account-based services such as Queen's Portal and Proxy services.

IT resources associated with courses offered by the University are outside of the scope of this procedure.

In all cases access will be limited in scope and time only to that which is necessary for the stated situation.

Procedure Owner:  ITS

Note: Unless otherwise stated, all University resources are provided to employees for University business and contain University records.

"...Records in the custody and control of the University are subject to the public right of access in the Freedom of Information and Protection of Privacy Act (FIPPA)."

EMAIL & FIPPA BEST PRACTICES (Office of the Access & Privacy Coordinator)

Under normal circumstances, the named/identified Account Holder has primary access to these University resources. The University reserves the right to access these resources under the following circumstances. The procedure will be based on authority and notification as indicated below.

A) Academic Staff Account Holders (includes Faculty, Adjuncts, Librarians, Archivists)

"Members have the right to privacy in their personal and professional communications and files, whether on paper or in electronic form, subject to the Freedom of Information and Protection of Privacy Act (FIPPA) and any other legal requirement. The Provost and Vice-Principal (Academic) may authorize access to a Member鈥檚 computing and network account(s) with the University only if there are reasonable grounds to believe that the Member may be threatening the security and integrity of the computing or network facilities, violating any software licensing agreement, or attempting to access another user鈥檚 account or data without that user鈥檚 permission". [QUFA Collective Agreement 2019-22]

The university is obliged to provide access for a search warrant authorized by a court.

B) Student Account Holders

Resources are private [1]. The University reserves the right to access under the following circumstances.

Situation

Authority(s)

Process/Procedure

Notice to Account Holder

After death of the Account Holder

Governed by the Student Death Protocol section of FIPPA

N/A

Where there are reasonable grounds to suspect Account Holder misconduct

One of:

  • Dean of Student Affairs
  • University Registrar

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

No

Security or police request

Director of Campus Security

Authority contacts Information Security Officer

Determined by Authority

Search warrant

Court

Authority contacts Information Security Officer

Determined by Authority

Remedy an accidental breach of privacy and/or misdirected email

Access & Privacy Coordinator

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

[1] Students who are also employed by the University should not use their student account for employment-related purposes . In such cases, the student should be provided with an employee account.

C) Non-QUFA Employees and Other Account Holders

Resources are not private, but may be used for private purposes. The University reserves the right to access under the following circumstances.

Notes:

  1. For most situations involving employees, that individual's Unit Head is the primary authority. Alternates are for situations where Unit Head is absent.
  2. IT Admin Reps may employ the procedures indicated below on behalf of their Unit Head, but the Unit Head remains the Primary Authority.

Situation

Authority(s)

Process/Procedure

Notice to Account Holder

Specific critical and/or time sensitive information required to conduct University business is needed from the account of an employee who is unreachable, or who refuses to provide access upon request

Primary: Unit Head

Alternates: 

Dean, AVP or higher

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Need to correct an erroneous "Out of Office" message created by an employee who is unreachable

Primary: Unit Head

 Alternates: 

Dean, AVP or higher

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Account Holder's employment terminated

Primary: Unit Head

Alternates:

HR Client Services Manager, Dean, AVP or higher

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

No

After death of the Account Holder

Primary: Unit Head

Alternates:

HR Client Services Manager, Dean, AVP or higher

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

N/A

Where there are reasonable grounds to suspect employee misconduct

Primary: AVP Human Resources

Alternates:  University Counsel

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

No

Security or police request

Authority: Director of Campus Security

Authority contacts Information Security Officer

Determined by Authority

Search warrant

Court

Authority contacts Information Security Officer

 

Remedy an accidental breach of privacy and/or misdirected email

Primary: Access & Privacy Coordinator

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Respond to a freedom of information request under FIPPA or similar applicable legislation  where access refused upon request

Primary: Access & Privacy Coordinator

Authority completes 

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Additional Context:

System administration and logs

System administrators and other employees responsible for troubleshooting or investigating system or security problems or complaints have access to resources, files and logs as necessary to fulfill their job duties. These employees are obligated to respect the privacy of all files and records.

Records of authorization

Records of authorization requests submitted through the online forms will be maintained by ITS and deleted after seven years. These records are classified as Confidential.

Unit Heads are advised to maintain their own records of Exceptional Access Authorization Requests.