Privileged access has its responsibilities

October 5, 2007

A message from Karen Eft, OCIO-SPP

Basic principles

In today's "e-everything" academic environment, protecting the security and privacy of electronic information has become a basic tenet. Therefore, technical support staff who have "privileged access" to information stored and processed on campus computers and systems must uphold the very highest level of ethical conduct. As one method to ensure all parties are informed about and concur with that responsibility, a Model Privileged Access Agreement template is available for adaptation and use by campus technology service providers.

University and campus technology policies are designed to convey what needs to be done to stay in compliance with laws — and with community principles — while at the same time providing high-quality, reliable, and timely services. For example, system administrators must follow the UC Electronic Communications Policy (ECP) provisions that mandate using the "least perusal of contents and the least invasive action necessary" to resolve a technical support issue.

Keeping up with the deluge of laws and regulations governing security and privacy can be very difficult, especially if your "real job" is technology service provision. That's where the OCIO—Security, Privacy, and Policy department can help. We are constantly filtering through that deluge, identifying and summarizing relevant information, and pointing to applicable policies, guidelines, and processes for the campus community. For example, see the new Campuswide IT Policy and Privacy page on the Technology @ Berkeley website.

Requests to provide electronic evidence

Individuals with privileged access to electronically stored information may, at times, be asked to provide evidence for an investigation. If the evidence is in the form of an electronic communication (as opposed to just being electronically stored and never intended to be transmitted), then we must follow ECP procedures to determine whether the consent of the "holder" is required before we access, review, copy, or provide it to the requester. It's important to note that system administrators are not considered to be the "holder" of electronic communications for the purposes of the ECP. For more information, see the "Procedures for requesting access without consent" section of the Approval for Accessing Berkeley Campus Electronic Communications web page.

Although requests in the form of court orders such as subpoenas, warrants, or other types of legal instruments, can "trump" the ECP consent process, these must be received in writing and be cleared by University or campus legal counsel before we respond. Another situation that supersedes the ECP consent process is a request from Internal Audit in connection with an official case they are investigating.

Admittedly, it can be daunting for front-line service administrators to know how to respond to various types of requests. There are a plethora of regulations and procedures for different situations. For a basic set of scenarios, see How to Respond to Requests for Electronic Evidence. Questions about specific situations may be addressed to itpolicy@berkeley.edu.

Related resources