Policy on Requests to NYU Information Technology (NYU IT) to Support Investigations

Policy

At all times, NYU IT will respect the confidentiality, integrity, availability, and security of the wide variety of information contained in the electronic communications, records, and facilities it manages. As a result,

1. in general, NYU IT monitors system health and not individual content unless directed by law or appropriate University authority;
2. the Vice President, Information Technology & Global University Chief Information Officer (VP/CIO) is thus required to set a high bar for justification of any requests to support an investigation;
3. the Code of Conduct: IT@NYU supports this high standard for individual employees;
4. this policy explains how to make a request to NYU IT to support an investigation.

The Code of Conduct: IT@NYU (section V) states that requests for information or to conduct investigations should be fulfilled only with the express authorization of NYU IT management. The Code mandates individuals to

Refer all requests from other NYU offices, or non-NYU organizations or individuals for information or investigations of records or facilities managed by NYU IT or related areas to the relevant individual for your location referenced in the Appendix to this Code for authorization; you may not take individual action to comply with the request.

As a clarification of the Code of Conduct, requests for information may be made by a Dean of a school, the senior departmental administrator, or a Human Resources Officer. Requests from external sources are referred to the Office of General Counsel. In order to optimize the response to each request, all requests for information concerning the electronic communications, records, and facilities managed by NYU IT should be transmitted on official letterhead to the VP/CIO via email (cio-investigations@nyu.edu). The request for information must include:

1. name, NetID, and N number of individual whose information is to be accessed;
2. name and work title of individual requesting the access;
3. reason for request;
4. period of information requested;
5. relevant restrictions on communications requested (e.g., between specific parties);
6. final disposition of the accessed information; and
7. signature.

  
The VP/CIO has responsibility for fulfilling the request with assistance of necessary operational and/or technical staff, denying the request, or escalating the request as needed, in consultation with other University Data Trustees and Stewards, as appropriate.

The specific procedure (Procedure on Requests to NYU Information Technology (NYU IT) to Support Investigations) for releasing electronic information or conducting investigations concerning electronic information largely depends upon the content being requested, where it is stored, and the nature of the request. Instances include, but are not limited to:

1. where access is required by and consistent with law or in response to a lawful demand;
2. where there is substantiated reason to believe that violation of law or University policy may have taken place;
3. when there are compelling circumstances, including substantial University risk of harm or liability;
4. where access is necessary to obtain information essential to maintain the normal operation of the University;
5. when there are time-dependent, critical operational circumstances or necessities, including audit requirements;
6. when a deceased or incapacitated individual is involved; and
7. when there is a possible life or safety emergency.

All those involved in gaining access to the information hold the process and resulting findings in strictest confidence.

The Code of Conduct: IT@NYU also specifies that

Any court order, warrant, or subpoena requesting such investigation or release of NYU records or information must be referred first to the VP, Information Technology & Global University Chief Information Officer or to the senior relevant individual for your location referenced in the Appendix to this Code, for consultation with University Counsel; you may not take individual action to comply with the request.

In addition, the University policy Contracts, Subpoenas, and Other Legal Matters Policy provides direction and guidance to NYU members in how to respond appropriately to requests or inquiries concerning legal matters.

Purpose of this Policy

This policy establishes the responsibilities for prompt, appropriate, and consistent actions associated with requests for information about the use or misuse of University systems, while it adheres to the University's already-established position on monitoring, posting, or removing material from its network and systems; maintaining the confidentiality, integrity, availability, and security of the University's systems and network; and continuing to encourage trust throughout the University community about the reasonable expectations of privacy in information technology.

Scope of this Policy

This policy deals with the process to request information from NYU IT or to conduct investigations as a result of those requests. This policy applies to members of the University community and affiliates who either request information or access to information or an investigation into information stored on NYU's computer and information resources.  This includes each NYU school, college, and institute that functions similarly as a school or college (e.g., IFA, ISAW, Courant, and CUSP), all NYU campuses, and other global sites.