IT Procedures for Handling 3rd Party Information Requests
I. Introduction:
The purpose of these procedures are to define the processes that are to be followed when a 3rd party request for access to non-public information is received by Information Technology or an incident is reported to, or discovered by, Information Technology. 3rd party requests are those not originating from the person whose data is being requested. These procedures do not apply to major incidents involving widespread loss of sensitive or confidential personal information. These latter incidents are dealt with in the TCU Major Computer Incident Response Plan which is under development. Examples of non-public information are traffic logs, email, files or other electronic personal information.
II. Procedures:
Request for access to non-public information pertaining to an incident
When a request to access non-public information is received by Information Technology pertaining to an incident, the request must be authorized by the following departments based on their scope of responsibilities.
- TCU Police – Legal issues
- TCU Human Resources – Code of Conduct issue or other faculty/staff issues
- TCU Student Affairs – Student Code of Conduct or other student issues
- TCU Provost or Dean – Academic cheating issues
- TCU Information Technology – Breach of the Network and Computer Usage Policy or other Information Technology policies
If the incident is first discovered by or reported to Information Technology it is promptly handed off to the appropriate department by the Chief Technology Officer or their designee. Information Technology will then assist these other departments.
If the issue is deemed to be an immediate threat to the security or stability of TCU information resources such as the network or servers, Information Technology may take immediate action to isolate the problem in accordance with the TCU Network and Computer Usage Policy. Under these circumstances Information Technology staff may disable network or account access for persons or equipment inside or outside TCU without prior notice. This action will be reported to the Chief Technology Officer or the Provost as soon as is possible.
Request for access to non-public information outside of an investigation
If Information Technology receives a request for access to non-public information outside of an investigation (e.g. the separation or extended absence of an employee) then the request must be authorized by the following departments based on their scope of responsibilities:
- TCU Police – Legal Matter
- TCU Human Resources – Faculty/Staff Information
- TCU Student Affairs – Student Information
- TCU Provost or Dean – Academic Information
Any request may be approved by the Chancellor, Provost, or the Vice Chancellor over the responsible area or in their absence the Chief Technology Officer.
Any request for access to non-public information about another individual in the same department as the department with the responsibility for the approval of that request must be approved by the Chancellor, Provost, or the Vice Chancellor over the requesting individual or in their absence the Chief Technology Officer. For example a request from TCU Human Resources about one of their employees must be approved by the Chancellor.
