Acceptable Use Policy
Acceptable Use Policy >> Overview
Premises
- These scenarios depict real life situations at the HSC and propose one or more of many “right” ways to handle them. These are not policies, but are intended to provide you with a direction that would be acceptable under UF and UF HSC Acceptable Use policies and guidelines.
- Employees should have no expectation of privacy while using UF computer systems.
- The UF will not access employee email content without a legitimate business or legal reason to do so, as determined by Employee Relations, Office of General Council, the Privacy Office or the Security Office, in conjunction with Unit Leadership.
- Keeping data longer than is legally required matters. It not only becomes a significant waste of human and technology resources, but it also could be a liability.
- Using an email system for storing original electronic records that have a material retention policy is a bad idea. Use the departmental secure file system instead.
- Focus for our IT staff should be on the health of the systems they run, not on catching and sanctioning users. Eventually, most types of abuses will be technically preventable without intrusion on normal business and catching and sanctioning users will be minimal.
- Email Scenarios
- Pornography Related Scenarios
- Resource Scenarios
- News Reporter Scenario
- Public Records Request Scenario
- Fundraising Scenarios
- Email Scenario – Employee amicable separation
An employee has given his two week notice to his supervisor. What are appropriate ways to handle his UF email?
Most importantly, it should be taken care of while the employee is still an employee. In addition you should have a predefined and well communicated termination procedure that addresses how long a supervisor may let a separated employee’s email live on-line before it is deleted or archived.
The employee cleans out (deletes or forwards to a personal email account) his personal email.
The employee and the supervisor then determine the disposition of the remaining business email. Important attachments should be saved to the department fileshare where the supervisor can access them. Important business messages should be forwarded to the supervisor by the employee. Alternatively, the employee can make the supervisor a proxy and the supervisor can save the important attachments and forward the important messages. When completed, the supervisor should notify the email administrator to terminate the email account and purge the mailbox.
Despite the two weeks notice, the separating employee and his supervisor never got around to clearing the employee’s email. Still, the supervisor claims there is important business information that needs to be retained, and new email coming in needs to be addressed. He has asked the email administrator to simply auto forward the separated employee’s email to the email of the replacement employee, and to make the replacement employee a proxy. How should this be handled?
Do not forward the separated employee’s email. Create an out of the office reply with instructions for senders from the separating employee’s supervisor. Do not make the replacement employee a proxy in the separated employee’s email.
Provide the supervisor proxy access for an agreed upon period of time, not to exceed 30 days. The supervisor can then access the former employee’s mailbox, save the important attachments and forward the important messages. When completed, the supervisor should notify the email administrator to terminate the email account and purge the mailbox.
The mildly unambitious supervisor still did not clear the employee’s email, even after 30 days and still insists that the email is important. How should this be handled?
Archive the email and save it on an encrypted CD. Provide the supervisor with the CD, the encryption key or passphrase and the logon id and password to the email. Then, terminate the email account and purge the mailbox.
The supervisor should not read any messages that are clearly personal in nature by the subject line. If the subject line is ambiguous and the supervisor opens a personal email message by mistake, they should close the email as soon as it is evident that the email is not business related. If the supervisor inadvertently discovers anything illegal (i.e. child pornography) while legitimately reviewing an employee’s email, he must report it to the proper authority as soon as possible. - Email Scenario – Abrupt employee separation
An employee leaves the institution abruptly with no lead time to participate in clearing her email with her supervisor. How should this be handled?
You should have a predefined and well communicated termination procedure that addresses how long a supervisor may let a separated employee’s email live on-line before it is deleted or archived.
The email administrator provides the supervisor proxy access for an agreed upon period of time, not to exceed 30 days. The supervisor can then access the former employee’s mailbox, save the important attachments and forward the important messages. When completed, the supervisor should notify the email administrator to terminate the email account and purge the mailbox.
Alternatively, the email administrator can archive the email in and save it on an encrypted CD. Then, provide the supervisor with the CD, the encryption key or passphrase and the logon id and password to the email. Then, terminate the email account and purge the mailbox.
In either case, it is strongly recommended that the supervisor have someone working with them on this task of reviewing the separated employee’s email to be able to attest to the reasonableness of the review should the former employee accuse the University of an invasion of privacy at a later date.
The supervisor should not read any messages that are clearly personal in nature by the subject line. If the subject line is ambiguous and the supervisor opens a personal email message by mistake, they should close the email as soon as it is evident that the email is not business related. If the supervisor inadvertently discovers anything illegal (i.e. child pornography) while legitimately reviewing an employee’s email, he must report it to the proper authority as soon as possible. - Email Scenario – Access by former employee
An employee has given her two weeks notice. She asks you to make a copy of her email box for her to take with her when she leaves. How should you handle this?
While she is an employee, she is an authorized user of all of the information in her email. The day she separates from the University, she is no longer an authorized user of any Restricted, Sensitive or Operational information in her former University email box. Therefore, if you give her a copy of her entire email box knowing she is leaving soon, you would be providing access to an unauthorized person and in violation of Privacy and Security policies. See email scenario 1 on how this request should be handled.
The employee obliges the direction and cleans out her email with her supervisor prior to leaving. Two weeks after she separates from the University, she sends you an email containing a public records request for her former email messages. Apparently, while sorting and clearing her email with her supervisor prior to departure she failed to collect all of her personal messages that she wanted to retain. She once again has asked for you to make a copy of her email box and send it to her, stating she knows it is still available and it no longer contains business email since her and her supervisor removed them prior to her departure. How do you handle this?
You still may not make a copy of her entire email box content and send it to her. Notify your supervisor and her former supervisor that you have received the request; they should seek guidance from the Office of General Counsel and UF Privacy Office if there is any chance that her email contains Restricted information. Her public records request must be responded to in a reasonable amount of time. If she is willing, attempt to get her to be more specific by describing the information she is seeking. Her email must be sorted through by someone familiar enough with her work to be able to determine Restricted or Sensitive information that should not be used to satisfy her public records request (i.e. her supervisor.) If the task of gathering the records she is seeking involves a significant technical effort or if the output will be generated on volumes of paper or expensive media, reasonable charges may be assessed. Again, the Office of General Counsel should be utilized for consultation in responding to Public Records requests. - Email Scenario – Unknown issue
A supervisor approaches you and asks you to provide her access to one of her current employee’s email box. She claims it is for an investigation, but cannot tell you the nature of it because you do not have a “need to know”. How should you handle this?
Explain to the supervisor that permitting her to access the employee’s email without consent requires collaboration from the UF Privacy Office, the HSC Security Office, Human Relations or the Office of General Counsel. Do not provide access to the supervisor until that collaboration is evident. - Email Scenario – Business issue
A supervisor approaches you and informs you that she needs access to an important email attachment in one of her current employee’s email box. The employee is on sabbatical and out of the country and cannot be reached for consent. How should you handle this?
Ask the supervisor to obtain written approval from the department Dean, Director or Department chair. Then provide the supervisor with proxy access for an agreed upon period of time. Make sure the proxy access is revoked after the supervisor has obtained the message or file she needs for business purposes. - Email Scenario – Employee behavior issue
A supervisor approaches you and informs you that he thinks one of his employees is running a real estate business out of her UF HSC office. He requests to access her email to confirm his suspicion and determine the extent of the problem. How should you handle this?
Access to email for purposes of investigating personnel issues must be approved by UF Human Resources, and the UF Privacy Office must be notified that the access is taking place. Ask the supervisor to involve these appropriate parties prior to granting the request. - Email Scenario – Privacy investigation
The UF Privacy Officer asks you to provide her access to an employee’s email for purposes of investigating a privacy incident. How should you handle this?
Ask the Privacy Officer to put the request in writing and make sure the Office of General Counsel and UF Human Resources are carbon copied on the request. Then provide proxy access for an agreed upon period of time for the Privacy Officer to complete her investigation. - Email Scenario – Security incident investigation
The UF HSC Security Office informs you that an employee has launched a phishing scam from his email and requests temporary access to the employee’s email. How should you handle this?
Ask the Security Office to make the request in writing and make sure the Office of General Counsel, UF Human Resources and the Privacy Office are carbon copied on the request.
The UF HSC Security Office agrees to have the request made in writing, but asks you to suspend the email account of the employee while the request is being processed. How should you handle this request?
Ask the UF HSC Security Office to ensure the suspension of the account is being communicated to the user; then proceed with temporarily suspending the account. - Email Scenario - Legal
A detective from the Gainesville Police Department arrives in your department and requests access to an employee’s email for a criminal investigation. How should you handle this?
Refer him to the Office of General Counsel and then await direction from them. If practical, walk him over to the General Counsel’s HSC office. You want to be cooperative and helpful while complying with UF policy. Notify your supervisor and explain what is happening. In addition UPD should be notified as well.
The detective pulls out a warrant and asks you to provide a copy of the suspect’s mailbox. How should you handle this?
Explain that you are not versed in reading legal documents, and you are required to have the warrant reviewed by the Office of General Counsel before turning over a copy of the mailbox. Call the General Counsel’s Office, or walk him over to the General Counsel’s HSC office to have the warrant reviewed and to receive instruction. If possible, also notify your supervisor or a department manager or director and explain what is happening.
The detective grows annoyed, demands that you provide a copy of the email per the warrant, and begins taking out his handcuffs.
Make the copy and give it to him. If there is a co-worker in the area, tell them to make contact with your department director and the Office of General Counsel as soon as possible and explain what is going on. - Porn Scenario
A user complains that he is having trouble downloading files from the internet. When you arrive, you discover the files he is downloading are Adult pornographic pictures. How should you handle this?
Inform him that pornography violates the UF HSC Acceptable Use Guidelines if his access and storage of pornography using University computers has not been authorized, and excuse yourself from his cubicle. Report the incident to your supervisor and await direction. You do not have to fix the download problem for the user. You should not attempt to confiscate the workstation or the pornographic files without direction from your supervisor or UF Human Resources. Adult pornography is not illegal; it violates the UF HSC Acceptable Use Guidelines because of the security risks that pornographic web sites present to our computing environment. Its presence triggers investigation for illegal activity such as child pornography. - Porn Scenario
As you are troubleshooting a problem on a customer’s PC, you encounter pornographic files; one of the subjects in the picture seems young. How should you handle this?
Notify your supervisor, manager or director immediately as you may have encountered a child pornography incident. The UF Human Resources Dept and Office of General Counsel will need to be notified as soon as possible as well, by your supervisor. If you receive instruction to secure the workstation, 1) disable the user’s domain account, 2) physically disconnect the workstation from the network by unplugging the network cable, and 3) secure the area (lock office door, remove keyboard/mouse, turn monitor off, hang a sign on the monitor, have someone watch the area, etc.) so that the workstation cannot be accessed until appropriate authorities arrive. If at all possible, do not shut off the workstation. If the workstation has been shutdown when you arrive to secure it, then remove it from the area and lock it in a safe place. - Porn Scenario
Accessing and storing Adult pornography now requires authorization to ensure there is a mission related purpose. You know there are several computers in your department that could have Adult porn stored on them. How should you handle this?
Don’t launch an effort to search and destroy pornographic files, or to police users for pornography. If personal uses of your department computers are causing technical or operational problems, then plan an effort to control all offending personal uses and be sure your plans comply with the HSC AUP guidelines plus any additional guidelines determined by your Unit. Focus on keeping our computers healthy, not catching and disciplining users. - Resource Scenario
You have implemented a technical process to scan your file server for music files and discover they account for 63% of all files stored on your file server. How do you handle this?
You may delete personal music files from shared HSC IT resources. But do so with good communication. Make sure users are aware of the music file purge on your fileserver well enough in advance to have an opportunity to copy their files to another storage resource. If you plan to implement a technical process that prohibits or automatically deletes music, ensure users are aware that it will be initiated well enough in advance to move their files to another storage resource. If you delete users’ personal files or prevent their storage on your department file server without good communication to your users, you will lose credibility with your users who will see your services as unreliable.
One of your users explains her music files are for research and need to remain stored on the department server. How do you handle this?
Most of you know what type of research work is done in your department. It’s not likely there would be a research project involving music in Anatomy and Cell Biology, but it makes sense that there might be one in Pediatric Psychiatry. If in doubt, request a copy of the grant. The new HSC AUP Guidelines will take care of most of the personal use abuses, but a small number of cases may be challenging. Avoid setting up bureaucracies for everyone just to deal with a small number of exceptions. - Resource Scenario
Your staff has re-imaged the same user’s computer for the 3rd time due to becoming hacked. You are able to determine that the user regularly visits gaming sites. How do you handle this?
Notify your supervisor and obtain support to have the user’s supervisor notified of the unacceptable use. Document it as a security incident in your incident tracking database. The user and her supervisor should assure you that the gaming site access will cease and desist. If you are unable to garner support to counsel the user, report the incident to the HSC incident response team, and a communication will be sent to the user and her supervisor from the UF HSC Chief, Information Security requesting assurances the user will discontinue access to gaming sites. - Resource Scenario
While troubleshooting a user’s workstation, you notice several computer games installed on it. How do you handle this?
If you have passed a more strict policy prohibiting use of computers for games, then notify your supervisor and the supervisor of the user and await direction to delete all of the games from the user’s workstation. If you are using the UF HSC AUP guidelines on this type of personal use, user’s are permitted to have personal files on their workstation. But, if the problems you are troubleshooting on the workstation are likely to have been caused by the games you found installed, inform the user of your findings and remove the games or ask them to remove the games. If the user becomes argumentative, end the troubleshooting session. Notify your supervisor and await support to remove the offending games from the end user workstation. - Resource Scenario
In the course of your work, you discover an employee running a game server from a server he used with his grant funding. How should you handle this?
Inform him that it is a violation of the UF AUP to use University equipment to offer non-business related services to people outside the institution. Ask him to remove the game server. In conjunction with your supervisor, notify the Principal Investigator of the abuse. Log it as an incident in your security incident tracking system. - Resource Scenario
You have been notified by the Network Authority that a considerable amount of network traffic is being generated from one of your servers. You discover an employee has loaded Skype (a VoIP server) on your server for a legitimate business process, and it is available to other Skype users on the internet. How do you handle this?
First inform the user that he should not load any software on departmental computers without security review. If this has occurred before and the user has been informed in the past, log it as a security incident in your incident tracking database and obtain support from your supervisor to request assurances from the offending user and his supervisor that the behavior will stop. Inform the user, and if necessary his supervisor, that the software has been installed such that anyone on the internet can use it and it is a violation of the AUP to offer University computing equipment to unauthorized users and for non-University business. If there is a legitimate business reason for the software, perform a security evaluation of it and if it is sufficiently secure, re-install it for the intended business purpose only. - News Reporter Scenario
An employee of the Gainesville Sun has left you a voicemail informing you that he is doing an article on health care in Gainesville, and has requested to access your departmental web site.
Notify your supervisor and the UF HSC Office of News and Communications (352-273-5810)anytime a reporter makes or attempts to make contact with you, and await direction. - Public Records Request Scenario
A UF employee from another part of campus not in your department requests the salaries of all of the employees in your department. He claims it is public record and has a right to the information. As system administrator, you have access to the information.
Tell the requestor that you will refer his request to your department administrator who will respond to his request. While all public records requests may not be appropriate, minimally they require a response. If you are instructed by the administrator of your department to release such records, produce the report, but give it to the administrator to release to the requestor. - Public Records Request Scenario
An research employee from your department has decided to take a job with another University. She leaves before taking the time to sort out her email. Three months later she sends a request for you to retrieve her old email and submits this as a public records request. Her email no longer resides on-line, rather it is in your email archive and housed at a physically different location. It will be no small effort to retrieve and restore it.
Several things need to be considered here. First, it is a legal public records request and must be responded to. Second, the requestor is a former employee who may have had access to Restricted information. Access she had while employed, is unauthorized access now. There may be sensitive information in her email to which she should no longer have access (i.e. email messages about patients.) Third, if copying the email or copying any public records for a requestor requires extensive use of information technology resources or clerical and/or supervisory assistance, the university may assess a reasonable service charge based on the university's actual incurred costs. An estimate of the charges should be given to the requestor and approval obtained prior to responding to the request. All charges should be collected before producing the documents. Your estimate must reflect actual costs and cannot be exaggerated in any way. For example, if you are estimating a system administrator’s time, you must use the salary of the lowest paid system administrator in your department. Costs for clerical and or supervisor assistance should be added into the estimate for the time someone in your Unit must spend sorting through the requestor’s old email and determining what can be given to the requestor and what cannot due to authorization rules. Cardinal rule applies – involve your supervisor and the manager or supervisor of the department in which the former employee worked to develop a plan for responding to the request. An excellent source of information on this topic can be found in the UF Policy Email as a Public Record (http://www.it.ufl.edu/policies/documents/Email as public records.pdf.) - Public Records Request Scenario
A former student, now living in Utah, emails a request to you asking to see the email of the Dean of your college from January, 2006 – December, 2006. He claims under the Federal Freedom of Information Act (FOIA) he has a right to the Dean’s email.
A FOIA request is similar in spirit to the State of Florida’s Public Records Laws; it requires staff from public institutions to respond to and provide a copy of existing UF information when a valid FOIA request is submitted. There are specific elements that must be present in a FOIA request. In addition, exceptions apply. For example, we are not required to provide copies of protected health information or identifiable student records. Other more subtle exceptions apply. All FOIA requests should be referred to the Office of General Counsel who is more familiar with the types of information that should be excepted when a request is made. - Fundraising Scenario
You receive an email from a co-worker informing you of a ‘Sara Foster’ fund raiser for the elementary school her daughter attends. The email is addressed to the entire dept. As the email administrator how do you handle this?
Since the email was sent from your departmental email system, reply to the sender and cc her supervisor that your departmental email system should not be used to send email for personal fund raising. - Fundraising Scenario
You receive an email from a colleague in another department on campus requesting donations for the Boy Scouts trip to Washington, DC. The email is addressed to your entire dept. As the email administrator how should you handle this?
Make your donation decision and delete the email. This would be handled a little differently because it originated outside of your email system, like a great deal of other junk mail. Could be that the sender is operating under less restrictive AUP email guidelines and he is allowed to send such email. If anyone in your Unit complains, point their complaint to the owner of the dept list serve that the sender took advantage of. The owner is the person who determines who may be on the list serve and the rules of the list serve. If the sender cannot be controlled through list serve management or through leadership intervention with the sender, consider setting a SPAM or junk mail rule on your server targeting the sender but obtain Unit leadership approval. - Fundraising Scenario
You receive an email from a co-worker informing you of a March of Dimes Walk-A-Thon and requests you to sponsor them financially in their effort. The email is addressed to the entire dept. As the email administrator how do you handle this?
Some charities such as WRUF, CMN, and UFCC have established relationships with UF in terms of university-wide fundraising. If a HSC department staff member sends an email which discusses recruiting walkers and/or donations for the American Heart Walk to represent that department, then this would be a university-related/sponsored activity. When an employee says that he or she wants to be sponsored individually, then it becomes personal fundraising. This employee is not acting as a university employee and not representing her department. Since the email was sent from your departmental email system, reply to the sender and cc her supervisor that your departmental email system should not be used to send email for personal fund raising.
It will be difficult at times to determine whether or not a fund raiser is related to the University. Don’t forget your focus – maintaining stability of your email system, not deciphering fund raising policy. Take initiative on mass emailings that are evidently not related to the University and limit your time on issues that are not a threat to your email system. Be careful not to become the fund raising police of your department; your goal is to protect the systems not enforce fund raising policy.
back to top He argues that the game server is only available to people in the University, not people on the outside.
Inform him that it is a violation of the UF AUP to use University equipment to offer non-business related services to anyone. In addition, shared HSC computers such as servers may not be used for storage of personal files. Ask him to remove the game server. In conjunction with your supervisor, notify the Principal Investigator of the abuse. Log it as an incident in your security incident tracking system.