Governance Instruments

Governance Instruments

Network and Systems

IT Services has a number of policies with regards to various services offered to the University. The policies specific to Networks and Systems are available here for the Queen's community to reference. 

Mailing Lists

IT Services licenses, maintains, and operates Lsoft's Listserv Mailing List Management Server for Queen's faculties, departments, and offices. These procedures outline acceptable use of mailing lists at Queen's

VPOC approval received Monday December 8, 2014

Note: Implementation of this procedure is currently being developed. In some cases, the provisioning procedure documented on this page does not reflect the current practice.

Purpose/Reason for this Procedure:

This procedure establishes what happens to an employee’s IT access privileges when they leave the employ of Queen’s University.  This is necessary to address the following requirements:

  • With the university’s single-sign-on capability, a Queen’s NetID and associated password can enable access to services and systems which the former employee should no longer be able to access.
  • Without appropriate deprovisioning, the university may be in violation of software licensing agreements or service contracts which restrict access to individuals who are employees or registered students.
  • IT controls assessments conducted for the university have strongly recommended consistent deprovisioning procedures for when employees leave, as a best practice.

Within the university context, however there can be circumstances where selective reprovisioning may be required.

Procedure Owner :  ITS

Scope of this Procedure:

This procedure applies to all Queen's employees, whether full-time, contract, or casual, who cease to be an employee of the university for whatever reason, including resignation, retirement, termination, or death. Faculty members with official emeritus status are outside the scope of this procedure. Employees with recurring but non-consecutive appointments or on a leave of absence may be subject to this procedure, depending on the needs of their department.

A) Default Deprovisioning Procedure

In most cases, when an individual ceases to be an employee of the university, as reflected in Queen’s University Human Resources records, all services associated with the individual’s NetID will automatically be removed at the end of their last day of employment. At that point, the individual loses all access to the university’s information and technology systems, resources and facilities. Email and other data associated with their account(s) will be retained for a defined period. Queen's NetIDs are not recycled, and can be reprovisioned at a later date if required.

B) Exceptions

Email Services for Retired Faculty and Staff

Retiring faculty and staff members email accounts remain active until either they no longer require it, or the university ceases to provide that email service. Note: if retired faculty members do not change their email account password when prompted to do so, their account will be deactivated 365 days after the password expires.

Email services for Continuing Adjunct QUFA Members

Continuing Adjunct QUFA Members will, in accordance with the Queen’s-QUFA 2011-15 Collective Agreement, retain access to their email account for eight (8) months following the end of their appointment. This does not have to be requested as it happens automatically.

C) Sponsored Access Arrangements (implemented via Contingent Worker construct in PeopleSoft) 

There can be situations where access to selected IT services may be required beyond or outside of a period of formal employment. Authority to request such continued access rests at the Unit (Department) Head level or above. The following are typical scenarios:

Absences

While on an unpaid leave of absence, or between non-consecutive periods of employment, it is possible for an employee to retain access to certain services, but this must be formally requested by the employee’s Unit Head at least 30 days in advance of the anticipated absence or the end of an employment term.

Former Employee Access

Department heads can “sponsor” a former employee to be provided with specific access to services such as email, to reflect some continued affiliation with the department or the university. Such sponsored arrangements will be for a defined term, typically a year, but can be renewed. There may be access privileges which cannot be sponsored due to contractual or licensing restrictions or terms.

Requests for Sponsored Access must be approved by the Unit Head and submitted through the  ITS Online Help Form.  Units are responsible for tracking the renewal dates for such sponsored access arrangements, and ensuring that renewal requests are submitted well enough in advance to prevent interruption of access. Where possible, ITS will endeavor to generate reminders to the department.

VPOC approval received Monday December 8, 2014

Purpose/Reason for This Procedure:

Exceptional circumstances may make it necessary to access the contents of University resources that have been allocated to a specific employee or student ("Account Holder").  This Procedure establishes the authorization required for providing such access to other than the assigned user.

For the purposes of the procedure, IT resources include but are not limited to individual accounts for using the University's:

  • Email and Calendar services,
  • Telephone and Voicemail services,  
  • Storage and Backup services including OneDrive and Active Directory File share, and
  • other account-based services such as the Queen's Wiki, Portal and Proxy services.

IT resources associated with courses offered by the University are outside of the scope of this procedure.

In all cases access will be limited in scope and time only to that which is necessary for the stated situation.

Procedure Owner:  ITS

Note: Unless otherwise stated, all University resources are provided to employees for University business and contain University records.

"...Records in the custody and control of the University are subject to the public right of access in the Freedom of Information and Protection of Privacy Act (FIPPA)."

EMAIL & FIPPA BEST PRACTICES (Office of the Access & Privacy Coordinator)

Under normal circumstances, the named/identified Account Holder has primary access to these University resources. The University reserves the right to access these resources under the following circumstances. The procedure will be based on authority and notification as indicated below.

A) Academic Staff Account Holders (includes Faculty, Adjuncts, Librarians, Archivists)

"Members have the right to privacy in their personal and professional communications and files, whether on paper or in electronic form, subject to the Freedom of Information and Protection of Privacy Act (FIPPA) and any other legal requirement. The Provost and Vice-Principal (Academic) may authorize access to a Member’s computing and network account(s) with the University only if there are reasonable grounds to believe that the Member may be threatening the security and integrity of the computing or network facilities, violating any software licensing agreement, or attempting to access another user’s account or data without that user’s permission". [QUFA Collective Agreement 2019-22]

The university is obliged to provide access for a search warrant authorized by a court.

B) Student Account Holders

Resources are private [1]. The University reserves the right to access under the following circumstances.

Situation

Authority(s)

Process/Procedure

Notice to Account Holder

After death of the Account Holder

Governed by the Student Death Protocol section of FIPPA

N/A

Where there are reasonable grounds to suspect Account Holder misconduct

One of:

  • Dean of Student Affairs
  • University Registrar

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

No

Security or police request

Director of Campus Security

Authority contacts Information Security Officer

Determined by Authority

Search warrant

Court

Authority contacts Information Security Officer

Determined by Authority

Remedy an accidental breach of privacy and/or misdirected email

Access & Privacy Coordinator

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

[1] Students who are also employed by the University should not use their student account for employment-related purposes . In such cases, the student should be provided with an employee account.

C) Non-QUFA Employees and Other Account Holders

Resources are not private, but may be used for private purposes. The University reserves the right to access under the following circumstances.

Notes:

  1. For most situations involving employees, that individual's Unit Head is the primary authority. Alternates are for situations where Unit Head is absent.
  2. IT Admin Reps may employ the procedures indicated below on behalf of their Unit Head, but the Unit Head remains the Primary Authority.

Situation

Authority(s)

Process/Procedure

Notice to Account Holder

Specific critical and/or time sensitive information required to conduct University business is needed from the account of an employee who is unreachable, or who refuses to provide access upon request

Primary: Unit Head

Alternates: 

Dean, AVP or higher

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Need to correct an erroneous "Out of Office" message created by an employee who is unreachable

Primary: Unit Head

 Alternates: 

Dean, AVP or higher

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Account Holder's employment terminated

Primary: Unit Head

Alternates:

HR Client Services Manager, Dean, AVP or higher

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

No

After death of the Account Holder

Primary: Unit Head

Alternates:

HR Client Services Manager, Dean, AVP or higher

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

N/A

Where there are reasonable grounds to suspect employee misconduct

Primary: AVP Human Resources

Alternates:  University Counsel

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

No

Security or police request

Authority: Director of Campus Security

Authority contacts Information Security Officer

Determined by Authority

Search warrant

Court

Authority contacts Information Security Officer

 

Remedy an accidental breach of privacy and/or misdirected email

Primary: Access & Privacy Coordinator

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Respond to a freedom of information request under FIPPA or similar applicable legislation  where access refused upon request

Primary: Access & Privacy Coordinator

Authority completes ITS Access Authorization Request

Note: you may be contacted following submission to discuss the request and to provide additional details before access is granted.

In writing from Authority

Additional Context:

System administration and logs

System administrators and other employees responsible for troubleshooting or investigating system or security problems or complaints have access to resources, files and logs as necessary to fulfill their job duties. These employees are obligated to respect the privacy of all files and records.

Records of authorization

Records of authorization requests submitted through the online forms will be maintained by ITS and deleted after seven years. These records are classified as Confidential.

Unit Heads are advised to maintain their own records of Exceptional Access Authorization Requests.