Lawrence Berkeley National Laboratory masthead LBNL Home A-Z Index U.S. Department of Energy logo Phone Book Jobs Search

RPM

REQUIREMENTS AND POLICIES MANUAL

Search the RPM
 
Home

Privacy, Monitoring, and Access without Consent

    Title:

    Privacy, Monitoring, and Access without Consent

    Publication date:

    3/30/2017

    Effective date:

    2/4/2014

    BRIEF

    Policy Summary

    To further the secure and acceptable use of Berkeley Lab Information Technology (IT) and information at Lawrence Berkeley National Laboratory (Berkeley Lab), this policy:

    • Defines no expectation of privacy in use
    • Establishes authority to monitor and consent to monitoring
    • Establishes policies and procedures for Access without Consent

    Who Should Read This Policy

    • Employees and affiliates
    • Other users of Berkeley Lab IT, including collaborators and visitors

    To Read the Full Policy, Go To:

    The POLICY tab on this wiki page

    Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    Title:

    Privacy, Monitoring, and Access without Consent

    Publication date:

    3/30/2017

    Effective date:

    2/4/2014

    POLICY

    A. Purpose

    To further the secure and acceptable use of Berkeley Lab IT and information at Berkeley Lab, this policy:

    • Defines no expectation of privacy in use
    • Establishes authority to monitor and consent to monitoring
    • Establishes policies and procedures for Access without Consent and
    • Seeks to ensure that Access without Consent is consistent with the value of privacy in individual activity and behavior that is consistent with the scientific mission of Berkeley Lab

    B. Persons Affected

    This policy applies to employees and affiliates as well as casual users of Berkeley Lab IT and resources, including collaborators and visitors.

    C. Exceptions

    Not applicable

    D. Policy Statement

    1. Expectation of Privacy
      1. No Expectation of Privacy: Users have no expectation of privacy when they use Berkeley Lab IT, subject to applicable state, federal, Department of Energy (DOE), and University of California laws and regulations.
    2. Authority to Monitor
      1. Authority: System administrators have limited authority to monitor systems for availability and security; however, only the Chief Information Officer, Laboratory Director, or Deputy Director for Operations may grant broad authority to monitor content and transactions on Berkeley Lab IT for security purposes and acceptable use.
      2. Minimal Access: Employees engaged in monitoring must access the minimum amount of information necessary to accomplish any monitoring task and must treat information in a confidential manner as appropriate.
      3. Notice of Monitoring: This policy serves as Notice of Monitoring. Systems with external users must provide notice to these users. Acceptable ways of providing notice include but are not limited to requiring users to sign an agreement or linking to the Berkeley Lab Privacy and Security Notice.
      4. Exceptions: The monitoring or recording of telephone conversations is illegal without the consent of all parties.
    3. Consent to Monitoring
      1. Consent: Use of Berkeley Lab IT constitutes consent to monitoring. Any or all uses of Berkeley Lab IT may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized University of California, DOE, and law-enforcement personnel. Some Berkeley Lab services are provided by third-party providers or monitored by external parties. Where applicable, employees and affiliates acknowledge monitoring by Berkeley Lab, the third-party provider, or external party. Authorized investigative agencies may access any DOE computer used during the period of access to information on a DOE computer, and for a period of three years thereafter.
      2. Written Consent: Use of Berkeley Lab IT serves as written consent to the requirements and policies of the Berkeley Lab Privacy and Security Notice for that system and all other DOE systems. In addition, SEC 0203 Notice of External Monitoring serves as written consent of external monitoring by third-party providers or external parties.
    4. Access without Consent
      1. Individual Access. Individual Access without Consent is access, without a user's permission, to Berkeley Lab information that is normally available to only that user. This access occurs for either investigations or operational necessity and exceeds normal monitoring activities.
      2. Data Access. Data Access without Consent is access to Laboratory Information, which is not normally available to the requestor, which provides individually identifiable information or recordings regarding the activities, actions, or behaviors of employees, affiliates, and other users of Berkeley Lab IT or resources.
      3. Authorizations for Access without Consent
        1. Investigation of Wrongdoing: The Laboratory Deputy Director for Operations or Laboratory Counsel must authorize access for purposes of investigation of wrongdoing.
        2. Legal Requests: Laboratory Counsel must authorize access for legal requests, including requests from law enforcement.
        3. Individual Access: The table below defines the authorization required for individual access for operational access and changes. The Access without Consent Procedure contains the list of privacy implicating services.

          Employee or Affiliate Status

          Operational Access

           

          Operational Changes

           

          Non-privacy implicating

          Privacy implicating

           

          Active or On Leave

          Supervisor or equivalent

          Division director or designee

          Supervisor or equivalent if the individual is unavailable

          Terminated

          Supervisor or equivalent

          Division director or designee

          Supervisor or equivalent

        4. Data Access: The System Owner may authorize access to information for the purposes of operational access or changes.
      4. Fair and Reasonable Access: Employees responsible for authorizing Access without Consent must ensure that requests for access are fair and reasonable, given the potential for abuse inherent in Access without Consent and despite no expectation of privacy in the use of Berkeley Lab IT.
      5. Least Intrusive Means Possible: Methods of access for operational purposes must be limited to the least-intrusive means possible. For example, it is less intrusive to set a vacation message (an operational change) than to give access to e-mail (operational access). Read the service provider guides at this page for help on providing least intrusive means possible.
      6. Minimal Involvement: To maximize confidentiality, the number of persons involved must be limited to only those required to initiate and conduct access.
      7. Electronic Discovery (eDiscovery): The IT Division must provide a point of contact to provide and/or coordinate the provision of access for investigation of wrongdoing and legal requests and to advise on operational access and changes.

    E. Roles and Responsibilities

    Employees engaged in monitoring or Access without Consent must adhere to the provisions of this policy. This policy also emphasizes the following roles and responsibilities:

    Role

    Responsibility

    Deputy Director for Operations

    Approves requests for Access without Consent for purposes of investigating wrongdoing; ensures that requests are fair and reasonable

    Laboratory Counsel

    Approves requests for Access without Consent for legal purposes and to investigate wrongdoing; ensures that requests are fair and reasonable; ensures that requests adhere to applicable laws and policies

    eDiscovery

    Provides and/or coordinates the provision of Access without Consent for investigation of wrongdoing or legal requests; assists with identifying the least-intrusive means possible, including advising service providers, for operational access or changes; coordinates Laboratory approach to e-Discovery at the direction of Laboratory Counsel

    IT Policy Manager

    Helps to ensure that the provision of Access without Consent is fair and reasonable and supports autonomy privacy despite no expectation of privacy in the use of Berkeley Lab IT; determines the list of privacy implicating services

    Division directors

    Ensure that operational access is not for investigatory purposes and that requested access is necessary to accomplish the function; assess if a request for Access without Consent may lead to an investigation and routes the request to the appropriate authorizer

    Supervisors, system owners, other authorizers, or other requestors for Operational Access without Consent

    Ensures that a good-faith effort is made to obtain consent from the individual before requesting operational access or changes; ensures that operational access or changes are not for investigatory purposes and that requested access is necessary to accomplish the function

    F. Definitions/Acronyms

    Term

    Definition

    Berkeley Lab IT

    Berkeley Lab-managed information technology, including computing devices, networks, services, and accounts

    Access without Consent

    Individual Access without Consent is access, without a user's permission, to Laboratory Information that is normally available to only that user. This access occurs for either investigations or operational necessity and exceeds normal monitoring activities; Data Access without Consent is access to Laboratory Information, which is not normally available to the requestor, which provides individually identifiable information or recordings regarding the activities, actions, or behaviors of employees, affiliates, and other users of Berkeley Lab IT or resources

    Investigation of wrongdoing

    Access to identify or detect suspected wrongdoing; examples include examining an employee's e-mail for indication of violations of policy, searching through network-level records for indications of "time wasting," or to access data from card reader systems to investigate an incident

    Legal requests

    Legally enforceable requests, such as a subpoena, search warrant, court order, national security letter, or public records request, and requests for voluntary disclosure of information

    Operational access

    Access to gather operational information or provide continuity of service; for example, a work document in an individual account

    Operational changes

    Access required to modify an operational feature; examples include changing/activating a vacation message for an employee, or changing outgoing voice mail

    G. Recordkeeping Requirements

    None

    H. Implementing Documents

    Document Number

    Title

    Type

    10.01.005.001

    Letter granting broad authority to monitor the Computer Protection Program

    Letter

    10.01.005.002

    Instructions for using the Berkeley Lab Privacy and Security Notice

    Instructions

    10.01.005.003

    Berkeley Lab Notice to Users

    Notice

    10.01.005.004

    Access without Consent Procedure

    Procedure

    I. Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    J. Revision History

    Date

    Revision

    By whom

    Revision Description

    Section(s) affected

    Change Type

    1/2/2012

    1

    J. Bonaguro

    Rewrite for wiki

    All

    Minor

    2/4/2014

    2

    J. Bonaguro

    Edit

    All

    Major

    3/6/2017 2.1 M. Stoufer

    "Chief Operating Officer" position title updated to "Deputy Director for Operations"

    All Editorial
    3/30/2017 2.2 S. Lau Minor editorial edits All Minor

    DOCUMENT INFORMATION

    Title:

    Privacy, Monitoring, and Access without Consent

    Document number

    10.01.005.000

    Revision number

    2.2

    Publication date:

    3/30/2017

    Effective date:

    2/4/2014

    Next review date:

    3/30/2019

    Policy Area:

    Information Technology

    RPM Section (home)

    Information Management

    RPM Section (cross-reference)

    Section 9.01

    Functional Division

    Information Technology

    Prior reference information (optional)

    RPM, Chapter 9, Section 9.01

    Source Requirements Documents

    • DOE Office of Science Program Cyber Security Plan, June 2010
    • DOE O 205.1B Chg 3, Department of Energy Cyber Security Program, CRD Section 6
    • DOE O 1450.4, Consensual Listening-In to or Recording Telephone/Radio Conversations
    • Clause I.124 – DEAR 952.204–77 Computer Security (AUG 2006), as modified by Contract No. DE-AC02-05CH11231, Appendix P, Section 2

    Implementing Documents

    Document Number

    Title

    Type

    10.01.005.001

    Letter granting broad authority to monitor the Computer Protection Program

    Letter

    10.01.005.002

    Instructions for using the Berkeley Lab Privacy and Security Notice

    Instructions

    10.01.005.003

    Berkeley Lab Notice to Users

    Notice

    10.01.005.004

    Access without Consent Procedure

    Procedure

    • No labels

    Adaptavist ThemeBuilder EngineAtlassian Confluence