The UC Electronic Communications Policy (ECP) specifies requirements for obtaining consent or authorizaton to access the electronic files of current employees and for using the "least perusal of contents and the least action necessary to resolve the situation."
While ECP provisions do not cover former employees, campus practice extends similar courtesies of consent or notice and least degree of invasiveness to former employees when possible.
The following best practices are recommended to avoid the need to access the accounts and data of former employees.
Maintain departmental (SPA) email accounts and document shares, and direct employees to use these shared resources to store work that is valuable to the ongoing operation of the department.
Establish Expectations Upon Hiring
Upon employee hiring, establish the expectation that personal use of University accounts should be incidental and that individual accounts and their contents are the property of the University.
Review Electronic Resources Prior to Separation
- Prior to an employee's separation, have the employee review electronic information in their possession:
- Forward messages of ongoing operational value from individually assigned University email accounts to a shared Special Purpose Account (SPA).
- Transfer files from devices and online accounts to a departmental server or Box account, or change bDrive file ownership to a SPA (first share the file, then click "Advanced" to change ownership).
- Remove or transfer personal information to non-University resources.
- Remind the separating employee that files left behind are property of the University.
- Consider whether any University information is stored on non-University personal accounts or devices -- transfer or delete any such data as appropriate.
- Upon separation, set an "auto-reply" forwarding message on email accounts and a voicemail message that directs people to alternative sources for assistance.
Due to privacy and staff resourcing concerns, it is not standard practice for IT staff to provide access to former employees' accounts. The following exception procedure is established for incidents when campus operational needs require access to a former employee's files.
In cases where the above recommended practices were not established or other unusual circumstances make accessing a former employee's email or files necessary, it is ideal to notify the former employee of the business need for access to information in his or her account and request either their assistance in accessing the needed information, or their consent for IT staff to grant access. When departmental staff (CalNet deputies, local IT staff) have the technical capability to provide someone else access to former employees' data, the procedures reference below, or a similar process approved by the department head should be followed.
Option 1. Former Employee Gives Access
The ideal method for gaining access to a former employee's email or files is for the former employee to grant access him or herself, either by a) forwarding specific requested information, or b) personally granting access to the account.
Granting access can be performed by the former employee after separation during the CalNet grace period.
Instructions for granting another individual access in bMail (also grants access to Google Drive)
When there is a positive relationship with the former employee, either the forwarding method or granting account access method is preferred, as it provides notice, allows the individual to prevent exposure of personal information, and also avoids involving external IT/administrative staff resources.
Option 2. IT Staff Grant Access
If it is not practical for the former employee to provide access to the needed information, a request for IT staff assistance can be sent by the former supervisor of the separated employee to email@example.com. Please provide the the following information:
a. Indicate whether the former employee was contacted, and whether consent for access was granted.
b. Describe departmental procedures and resources that are intended to provide for continued department access to University records (including files and email) after an employee's separation (see Recommended Practices above) and explain why standard departmental procedures were not sufficient in this instance.
c. Describe the request in detail: account name(s), description of resource for which access is needed, who will be given access, how long access is needed, etc. In accordance with the principles of least perusal established in Electronic Communications Policy, please define the request as narrowly as possible (i.e., identify specific files or folders) and provide justification if access is requested for more than several days.
d. Acceptance by the person who will be given access that the"least invasive degree of inspection" will be used, i.e., that upon encountering a personal message/file the user will stop looking at it and move on, and once the needed information is obtained, access will be terminated.
The UC Berkeley Privacy Office will review the request and forward it to the appropriate service provider.
If a family member requests access to the email or files of a deceased faculty member campus practice is to coordinate those requests with the deceased faculty member's department.
The chair or another faculty member with expertise in the same academic area may go through the materials with the spouse or family member. This is to protect any data that the department may consider confidential. For example, if the faculty member served on a departmental personnel review committee, the family should not have access to emails to/from colleagues regarding the merits of the candidate. Or the University may want to restrict access to research data, notes, reports, etc. If the department believes confidential University records could be inappropriately exposed, the department should contact the Privacy Office for guidance.
Power of Attorney does not automatically provide access to all of the deceased faculty member's files.
For more information, contact firstname.lastname@example.org