OUHSC Information Technology Department

Home  |  Online Help  |  Policies  |  Tier Ones

Monitoring Computer Use

(A component of the Acceptable Use of Information Systems Policy)

The University employs various measures to protect the security of its computing resources and users' accounts. Users should be aware, however, that the University cannot guarantee such security. Users should also be aware that their uses of University computing resources are not completely private. While the University does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the University's computing resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for providing service.

The University may also specifically monitor the activity and accounts of individual users of University computing resources, including but not limited to, individual login sessions and communications, without notice, when (a) the user has voluntarily made them accessible to the public, as by posting to Usenet or a web page; (b) it reasonably appears necessary to do so to protect the integrity, security, or functionality of University or other computing resources or to protect the University from liability; (c) there is reasonable cause to believe that the user has violated, or is violating, the Acceptable Use of Information Systems policy*; (d) an account appears to be engaged in unusual or unusually excessive activity, as indicated by the monitoring of general activity and usage patterns; or (e) it is otherwise required or permitted by law.

Any such individual monitoring, other than when the user has voluntarily made them accessible to the public, or necessary to respond to perceived emergency situations, must be authorized in advance by the Chief Information Officer, University Legal Counsel, or their designees.

The University, at its discretion, may disclose the results of any such general or individual monitoring, including the contents and records of individual communications, to appropriate University personnel or law enforcement agencies and may use those results in appropriate University disciplinary proceedings. Communications made by means of University computing resources are also generally subject to discovery requests and Oklahoma's Open Records Act to the same extent as they would be if made on paper.

*The Acceptable Use of Information Systems policy may be found at www.ouhsc.edu/it/security/policy/aup.asp

Approved by the Provost and Deans' Council September 6, 2000

Reviewed 02/01/2013

Frequently Asked Questions about Monitoring Computer Use

Does the restriction on individualized monitoring prohibit a supervisor or co-worker from accessing an employee's computer files for work-related purposes?

The policy's provisions on monitoring govern only the monitoring and investigation of actual or suspected misconduct or misuse of University computing resources, not the ordinary, everyday functioning of an office. Thus, for example, to the extent that a PC or network server serves as the functional equivalent of a desk drawer or file cabinet, supervisors and co-workers continue to have the same access to it for normal, noninvestigatory, work-related purposes - i.e., to retrieve a file or document needed while the employee who maintains the file or document is away from the office - as they always have. Obtaining such access is not considered "monitoring" for purposes of the policy and does not require the advance authorization of the Chief Information Officer, Legal Counsel, or designee. If, however, a supervisor or other employee discovers evidence of possible misconduct or misuse while accessing University computing resources under the control of another for normal, noninvestigatory, work-related purposes, further monitoring or investigation of those computing resources for purposes of dealing with the suspected misconduct or misuse does require the advance authorization of the Chief Information Officer, Legal Counsel, or designee, unless the monitoring is necessary to respond to perceived emergency situations. Evidence discovered in the course of normal, noninvestigatory, work-related activity may be used as a basis for seeking such authorization.

What is an example of a perceived emergency situation as stated in the policy on monitoring computer use?

An example of a perceived emergency situation would be a situation in which a person or facility is threatened and possible injury could result if quick action is not taken, such as in a bomb threat.

Why must monitoring be authorized by the Chief Information Officer, Legal Counsel, or designee?

The purpose of the advance authorization provision of the policy is to make clear that authority to engage in investigatory monitoring of University computing resources is not implied or inherent in any job position, to ensure consistency in the development and application of the standards for monitoring, and to enable the University to monitor the effectiveness of the policy itself, not to require that all authorizations be made by a single person.

You believe that one of your employees is wasting time surfing the web. Should you check their history files?
You notice a suspicious looking student in the computer lab. Should you remotely monitor his activity?

Before monitoring the activity of a specific user you need to contact the CIO, Legal Counsel or designee. For issues relating to job performance you should contact personnel services. These contacts will be familiar with the technology, policies, laws, and best practices regarding such individual monitoring.