As an educational institution, and in the spirit of academic freedom, Purchase College recognizes that it is essential that faculty, students, staff, and other college employees have some degree of confidence that their privacy will be respected and protected when using college computing resources for collaboration, research, scholarship, and administrative purposes. Purchase College considers information privacy a very serious matter, and therefore the college has established local policies and procedures to safeguard and protect each individual’s privacy.
This document describes the Purchase College and New York State (NYS) policies and practices regarding information privacy for students, faculty, staff, or any other persons using college-owned devices and systems.
Purchase College, as a part of the State University of New York (SUNY)—a state agency—is governed by NYS policies on information security. New York State Information Security Policy P03-002 covers the privacy of materials on state-owned computers in the following statements:
Consistent with applicable law, employee contracts and state entity policies, the state entity reserves the right to monitor, inspect, and/or search at any time all state entity information systems. Since computers and networks are provided for business purposes, staff members shall have no expectation of privacy in the information stored in or sent through these information systems. State entity management additionally retains the right to remove from its information systems any unauthorized material.
This policy is applicable to state entities, staff and all others, including outsourced third parties, which have access to or manage state entity information. Where conflicts exist between this policy and a state entity’s policy, the more restrictive policy will take precedence.
Covered by this Policy:
This policy covers the individual email accounts that are assigned to students, faculty, staff and other employees; the personal “home directories” that are created for individual students, faculty and staff members; contents of college-owned desktop computers, laptop computers and mobile computing devices assigned to individual employees; and materials stored in college-owned servers (file servers, web servers, collaboration servers, etc.)
For college email, personal home directories, and information stored on desktop or laptop computers, tablets, mobile devices, and servers, the contents of each individuals email account, personal home directory, server directory, desktop or laptop drives or mobile storage devices are considered to be for college business purposes. However, the materials contained therein will only be accessed by the college under specific circumstances—and with explicit written approval from a minimum of two of the following:
SUNY Legal Counsel
Supervisors seeking access to departed employee materials must obtain approval as noted above.
Approval: Specific written approval will include: Written justification for accessing the materials, the name of the individual whose materials will be accessed, the location of the materials to be accessed, who they are to be accessed by, and a time period for access sufficient to achieve the stated goal (locating messages, files, or other materials.)
This written approval must be provided to the Director of CTS/ISO. In emergency circumstances (electronic intrusion, malware, etc.) verbal approval may be granted, but specific written authorization must be provided as soon as is practical. Without written approval as described, no college employee may access any other individuals’ electronic materials for any reason—and any such access will be considered a violation of the college’s computer ethics policy.
Procedure: Upon receipt of written approval from two or more college officers to access an individual’s materials, CTS information security staff will notify the director of Human Resources (HR) to arrange supervised access to the materials, and secure an electronic copy of the materials in question for the supervised review. Human Resources will then arrange a time and location for the supervised review. During the supervised review, a senior Human Resources staff member will be present to supervise the review, and CTS information security staff may be present to provide any needed assistance in accessing the materials. In cases where large volumes of material are subject to review, HR, CTS, and the reviewer may convene more than once during the stated review period. The duration of the period for which access is to be granted must be reasonable and will not be open ended.
Written approval to access electronic materials will only be granted in cases where:
There is an open and active Human Resources investigation
There is an open and active law enforcement investigation
There is reasonable cause to believe that the computing resource is being used in violation of the college’s computer ethics policy, a contractual obligation, or state or federal law.
The individual is not available to grant access due to illness or extended absence and there is a demonstrable business need to access materials believed to be in their possession
This policy specifically does not cover information stored in collaborative or departmental file share folders that are normally used as repositories for shared materials—even if that departmental file share contains a subfolder that may be in an individual’s name. Collaborative file sharing folders are specifically set up to be used to store shared documents, and unit supervisors routinely have access to all materials stored in departmental file-share folders. Supervisors and employees should take note that departmental file -hare folders are the preferred storage method for official college-related business. Employees should be strongly discouraged from storing official college-related business (memos, reports, policies, spreadsheets, or official correspondence) in any place other than a departmental file-share folder. Likewise, employees should be strongly discouraged from storing materials they consider personal or private in any shared file folders.
Similarly, this policy does not cover course-related file shares, drop boxes, or other shared resources that are specifically set up for classes or instructors. Materials placed into academic shared resources are not considered private, and the instructor will routinely have access to these materials.
Kathleen Farrell Ricardo Espinales
Director of Human Resources Assistant Director of Human Resources
Purchase College Purchase College
735 Anderson Hill Road 735 Anderson Hill Road
Purchase, NY 10577 Purchase, NY 10577
Director of CTS/Information Security Officer
735 Anderson Hill Road
Purchase, NY 10577