UCSC ITS Routine System Monitoring Practices
I. Routine system monitoring activities
Authorized UCSC ITS employees and contracted service providers who operate and support UCSC electronic communications resources regularly monitor transmissions for the purpose of ensuring integrity, reliability and security of these resources and services. Routine monitoring at UC Santa Cruz includes the following manual or automated activities:
- Monitoring transmissions and transactional information to ensure the proper functioning, reliability, and security of University information technology resources and services under their control.
- Monitoring network traffic and network log files in the course of maintaining the availability of our networked resources.
- Inspecting transactional information as one step in the process of resolving complaints regarding violations of law or policy.
- Checking for personal identity information (PII) in response to established triggers. See UCSC PII Inventory and Security Breach Procedures, Section IV.B.3, for details.
- The System Steward and affected data owners shall be notified prior to performing a scan and where possible shall be informed of scan results indicating the potential presence of PII.
- Scan results must be properly protected and disposed of.
Except as indicated above, user consent is not required for this routine system monitoring.
II. Related policies and principles
The UC Electronic Communications Policy (UC ECP) establishes conditions under which personnel who perform routine monitoring, as described above, may observe or inspect the contents of network traffic, electronic communications, or transactional information during this monitoring. In all cases, individuals must adhere to the following principles:
- Only authorized personnel who have a need to access this data and who understand the restrictions on its use shall have access to it.
- Routine monitoring activities shall be limited to the least perusal and retention required to ensure the reliability and security of systems.
- Except as provided in the UC ECP or by law, individuals will not seek out the contents of network traffic, electronic communications, or transactional information where not germane to the foregoing purposes, or disclose or otherwise use what they have observed. If in the course of their duties, authorized personnel inadvertently discover or suspect improper activity in violation of law or policy, reporting of such violations shall be consistent with the Whistleblower Policy.
- If it is necessary to examine suspect electronic communications records beyond routine practices, the user’s consent shall be sought. If circumstances prevent prior consent, notification procedures consistent with the UC ECP shall be followed.