Overview and Purpose

The [variable: Covered Organization] network is owned and operated by [variable: Covered Organization] for business, administrative, and research purposes. In the course of normal network operations, some computer systems and network devices automatically generate track and logging data, such as source and destination internet protocol addresses, session times, port numbers, or file sizes. This information may be indicative or directly reflective of business activities and communications that should not be exposed to unauthorized individuals.

This policy establishes general privacy requirements for information automatically generated by [variable: Covered Organization] networked computer systems and network devices, including systems and devices involved in the transmission and storage of voice data. The policy further delimits the conditions under which network data may be disclosed.

Coverage

All individuals who use and/or manage [variable: Covered Organization] networks or operate networked computing devices.

Definitions

General Terminology

• Information Resources (IR)
• Information Services

Policy

It is the general policy of [variable: Covered Organization] to treat all network data as private.

Exceptions

Information carried or stored over the network may be exposed or disclosed under the following circumstances:

• To maintain the integrity and availability of network operations. [variable: Covered Organization] may intentionally or inadvertently expose information resources stored on networked machines or transmitted through the network in the following situations:
  • Network performance monitoring or troubleshooting
  • Moving data through the network via automated store-and-forward systems
  • Copying, archiving, or otherwise preserving portions of messages transmitted over the network in the course of routine network maintenance activities

• In the event that [variable: Covered Organization] messages or data files within the network indicate the presence of activities that violate internal policies or law.
• In the event of recognized network security threats. [variable: Covered Organization] reserves the right to investigate and remediate possible network security threats, including by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network.
• In response to a court order
• In the event of a legitimate health or safety emergency
• In pursuit of reasonable business interests, such as fulfillment of partnership agreements.

All requests to retrieve and share network information must be submitted to [variable: Organizational Role] and approved by [variable: Organizational Role]. Such requests include 1) the name and role of the requestor, 2) The reason for the request, in accordance with the principles set forth in this policy, 3) The intended use of the requested data. Any network data intentionally shared with third parties must be sanitized to preserve the anonymity of network users.

Enforcement

Violation of the [variable: Covered Organization] Network Privacy Policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: Covered Organization] Information Resources access privileges, civil, and criminal prosecution.

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

• [variable: internal documents (with links, if available) ]
• [variable: external documents (with links, if available) ]

References

• Computer Fraud and Abuse Act of 1986
• Computer Security Act of 1987
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Policy Model(s)

• Privacy of Information Technology Data. Cornell University.
• Network Privacy Policy. Northwestern University.