This policy applies to all MUS individuals using MUS-owned or managed computing and information resources (hereinafter “users”).
This policy outlines the general rules governing the MUS’s rights and responsibilities to monitor the use of the computers and networks it operates, and the balance between those rights and responsibilities and the expectation of a reasonable degree of privacy in the use of those facilities by users.
The MUS has the legal responsibility to ensure that the computers and networks it operates are used appropriately. The data contained on those computers and transmitted on those networks are presumed to be MUS property unless MUS’s rights are otherwise limited by law, policy, or contract. In any case, the data contained on those computers and transmitted on those networks is subject to monitoring and/or copying by the MUS. That is, in order to meet its obligations, the MUS, through individuals operating within the course of their legitimate job duties, may periodically, routinely, or for a specific purpose monitor activity on its computers and network. These individuals may include IT personnel and appropriate administrators and supervisors on each campus.
The types of activities the MUS may monitor and on which it may maintain records include, but are not limited to:
The MUS's general interests in these aspects stem from both its obligations to prevent misuse of its resources and its commitments to its users to provide certain services, such as backups of system and user data for use in case of system failures, reasonable and robust network performance, optimized access paths for frequently accessed Web sites, optimized network performance for other types of network activity (e.g., video conferencing, remote high speed computation), guarantees that system software is updated appropriately and efficiently, and blocking and/or detecting the sorts of disruptive activity characterized as hacking or system cracking, virus/worm infection, and denial of service. Routine network monitoring typically focuses on “general” patterns of use, but attempts to optimize performance, detect anomalies, or track down possible intrusions may lead to more specific monitoring. Activities such as routine system backups always involve collecting and copying user-specific data and the contents of e- mail systems. In copying data for these purposes the MUS gains the right to use such copies appropriately; it does not gain intellectual property rights to the information contained in the data.
Personal information gained through monitoring will be held in confidence by the MUS when required by law. Records obtained by monitoring may be used within the MUS by MUS officials, employees and agents for purposes appropriate to the management and administration of the MUS, including the
investigation of possible misconduct by a user or a third party. In addition, records will be released if necessary to comply with a court order or other legal instrument binding upon the MUS or its officials. Requests for records by members of the public will be complied with in a fashion consistent with the law on public access to records and privacy. Persons requesting public disclosure of such records may be assessed the reasonable costs of time and material involved in meeting the request.
Except for the identification, investigation, and prevention of misconduct by a user, including violations of law, MUS officials, employees, and agents will not divulge personally identifiable information obtained through monitoring.
The computing and information technology resources owned and managed by the MUS are used by three distinct classes of users, who gain access to information technology resources through very different relationships with the MUS, and hence to which different acceptable use policies must apply.
Because there are dramatic differences in the relationships between the MUS and individuals in each of these three groups, care must be taken to clearly identify the specific rights and responsibilities that pertain to each group of users. Also, a given individual may fall into more than one of the user classes, and hence gain different rights by virtue of participation in different types of activities. For example, MUS employee “Smith” gains “employee user” rights by virtue of his/her employment, and exercises those rights while at work. If Smith also registers for a class he/she gains “student user” rights for use in his/her academic pursuits. Finally, Smith may at any time visit a campus library and exercise “patron user” rights by using a public access terminal. It is reasonable to expect that the rights and responsibilities of an individual such as Smith differ depending on the context of his/her access, and the policies that apply to a given incident will therefore depend on the specific context of use.
Item 114-104-R0102, Privacy, Security, and Monitoring, approved by the Board of Regents on May 24, 2002; Item 155-101-R0512, revised May 25, 2012.