University access; your right to privacy
The University's right to access files
All contents in storage on University and University-contracted data and voice systems are subject to the rules of Princeton University, including the University's ability under certain circumstances to access, restrict, monitor and regulate the systems that support and contain them. In general, and subject to applicable law, the University reserves the right to access and copy files and documents (including e-mail and voice mail) residing on University-owned equipment and in storage contracted by the University from outside enterprises. This includes access without notice, where warranted. Non-intrusive monitoring of campus network traffic occurs routinely, to assure acceptable performance and to identify and resolve problems. If problem traffic patterns suggest that system or network security, integrity, or performance has been compromised, network systems staff will investigate and protective restrictions may be applied until the condition has been rectified.
Some departments that maintain servers or internal networks may collect usage data and may monitor such servers or networks to ensure adequate technical performance. Departments that collect such data are expected to protect the privacy of those using the resources. It is also important to note that the University may be required to produce such data in compliance with a valid subpoena or court order.
The University also provides some access to files and documents residing on University-owned equipment (and/or transmitted via the University’s network services) to outside vendors who have been contracted with to provide technology services. The University contracts with such vendors contain firm provisions for security of information and for the privacy of members of the University community who may use those services.
Degrees of privacy
Students, for whom the University effectively is a residence during the academic year, normally are afforded a high degree of privacy. University employees, who are provided with the use of University resources for work-related purposes, are afforded a lesser degree of privacy. For example, employees may be directed to share certain work files and information with others or to make a computer account accessible to a supervisor to assure effective backup or execution of the work when no other practical means exist for sharing the needed information readily and securely. In the event that business-related files (including e-mail and digitized voice messages) stored on an employee's account or workstation must be accessed, whether because of unexpected absence, death, or termination of employment, or other necessity, such files may be accessed by the employing department after consultation with the Office of Human Resources, Office of Dean of the Faculty, Office of Dean for Research, and/or Department of Public Safety, as appropriate and based on business need. On employee termination, supervisors are expected to assure that passwords to computers, other networked devices, and accounts are obtained and changed if the work of the unit requires access to data or resources previously managed by the employee, and that copies of critical work product remain available following the employee’s separation from the University.
If you are a supervisor who has access to an employee’s files or e-mail, or have been designated by a supervisor to access another employee’s files or e-mail, you should be careful to avoid reading personal items that may be stored in the same area. For example, upon learning that an e-mail or voice mail message is personal, and not business-related, the supervisor or designee should immediately exit the file or message. The supervisor or designee should be careful to avoid examining any personal information the University may provide to the employee via password access, such as benefits or payroll data. When an employee leaves the University, the employee normally should be given the opportunity to remove any personal files or e-mail from University computers and other University-owned networked devices before departure. Departing employees are not entitled to remove, destroy or copy any of the business-related documents entrusted to their care or created by them during their employment, unless otherwise permitted by the University. The University’s record retention policy also must be observed. See University Records Management at www.princeton.edu/records. Where the Office of the General Counsel has issued a “Legal Hold Notice,” individuals may be required to suspend regular retention practices and to retain information until further notice from the Office of the General Counsel, including after an employee’s departure from the University.
In addition to information you may store on devices owned by the University, the University and its contractors maintain certain system backups and logs of e-mail and network transactions. If the University is presented with a valid subpoena or court order requiring that such information be produced (or preserved), or directing that the University assure that its employees produce (or preserve) such information, the University may be bound by law to comply. Similarly, the University also may be obligated to disclose the identity of an account-holder or identity of the person who owns a computer or other registered network device, is responsible for a University-owned computer or networked device, or holds a University-assigned account used in some electronic transaction.
Supervisors are encouraged to communicate the University's expectations regarding privacy of employee files and e-mail, and to remind employees of these expectations periodically. Supervisors also are expected to take prompt action to retrieve or preserve employee files needed to continue the work of the department when an employee is about to separate from the University.