BRIEF

Policy Summary

To further the secure and acceptable use of Laboratory Information Technology (IT) and Information at Berkeley Lab, this policy:

• Defines no expectation of privacy in use
• Establishes authority to monitor and consent to monitoring
• Establishes policies and procedures for Access without Consent

Who Should Read This Policy

• Employees and affiliates
• Other users of Laboratory IT, including collaborators and visitors

To Read the Full Policy, Go To:

The POLICY tab on this wiki page

Contact Information

Information Technology Policy Manager
Information Technology Division
[email protected]
End Brief

POLICY

A. Purpose

To further the secure and acceptable use of Laboratory IT and Information at Lawrence Berkeley National Laboratory (Berkeley Lab), this policy:

• Defines no expectation of privacy in use
• Establishes authority to monitor and consent to monitoring
• Establishes policies and procedures for Access without Consent
• Seeks to ensure that Access without Consent is consistent with the value of privacy in individual activity and behavior that is consistent with the scientific mission of the Laboratory

B. Persons Affected

This policy applies to employees and affiliates as well as casual users of Laboratory IT and resources, including collaborators and visitors.

C. Exceptions

Not applicable

D. Policy Statement

1. Expectation of Privacy
   1. No Expectation of Privacy: Users have no expectation of privacy when they use Laboratory IT, subject to applicable state, federal, Department of Energy (DOE), and University laws and regulations.
2. Authority to Monitor
   1. Authority: System administrators have limited authority to monitor systems for availability and security; however, only the Chief Information Officer, Laboratory Director, or Deputy Chief Operating Officer may grant broad authority to monitor content and transactions on Laboratory IT for security purposes and acceptable use.
   2. Minimal Access: Employees engaged in monitoring must access the minimum amount of information necessary to accomplish any monitoring task and must treat information in a confidential manner as appropriate.
   3. Notice of Monitoring: This policy serves as Notice of Monitoring. Systems with external users must provide notice to these users. Acceptable ways of providing notice include but are not limited to requiring users to sign an agreement or linking to the LBNL Privacy and Security Notice.
   4. Exceptions: The monitoring or recording of telephone conversations is illegal without the consent of all parties.
3. Consent to Monitoring
   1. Consent: Use of Laboratory IT constitutes consent to monitoring. Any or all uses of Laboratory IT may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized University, DOE, and law-enforcement personnel. Some Berkeley Lab services are provided by third-party providers or monitored by external parties. Where applicable, employees and affiliates acknowledge monitoring by Berkeley Lab, the third-party provider, or external party. Authorized investigative agencies may access any DOE computer used during the period of access to information on a DOE computer, and for a period of three years thereafter.
   2. Written Consent: Use of Laboratory IT serves as written consent to the requirements and policies of the LBNL Privacy and Security Notice for that system and all other DOE systems. In addition, SEC 0203 Notice of External Monitoring serves as written consent of external monitoring by third-party providers or external parties.
4. Access without Consent
   1. Individual Access. Individual Access without Consent is access, without a user's permission, to Laboratory Information that is normally available to only that user. This access occurs for either investigations or operational necessity and exceeds normal monitoring activities.
   2. Data Access. Data Access without Consent is access to Laboratory Information, which is not normally available to the requestor, which provides individually identifiable information or recordings regarding the activities, actions, or behaviors of employees, affiliates, and other users of Laboratory IT or resources.
   3. Authorizations for Access without Consent.
      1. Investigation of Wrongdoing: The Laboratory Chief Operating Officer or Laboratory Counsel must authorize access for purposes of investigation of wrongdoing.
      2. Legal Requests: Laboratory Counsel must authorize access for legal requests, including requests from law enforcement.
      3. Individual Access: The table below defines the authorization required for individual access for operational access and changes. The Access without Consent Procedure contains the list of privacy implicating services.

         Employee or Affiliate Status	Operational Access		Operational Changes
         	Non-privacy implicating	Privacy implicating
         Active or On Leave	Supervisor or equivalent	Division director or designee	Supervisor or equivalent if the individual is unavailable
         Terminated	Supervisor or equivalent	Division director or designee	Supervisor or equivalent

      4. System Access: The System Owner may authorize access to information for the purposes of operational access or changes.
   4. Fair and Reasonable Access: Employees responsible for authorizing Access without Consent must ensure that requests for access are fair and reasonable, given the potential for abuse inherent in Access without Consent and despite no expectation of privacy in the use of Laboratory IT.
   5. Least Intrusive Means Possible: Methods of access for operational purposes must be limited to the least-intrusive means possible. For example, it is less intrusive to set a vacation message (an operational change) than to give access to e-mail (operational access). Read the service provider guides at this page for help on providing least intrusive means possible.
   6. Minimal Involvement: To maximize confidentiality, the number of persons involved must be limited to only those required to initiate and conduct access.
   7. eDiscovery: The IT Division must provide a point of contact to provide and/or coordinate the provision of access for investigation of wrongdoing and legal requests and to advise on operational access and changes.

E. Roles and Responsibilities

Employees engaged in monitoring or Access without Consent must adhere to the provisions of this policy. This policy also emphasizes the following roles and responsibilities:

F. Definitions/Acronyms

G. Recordkeeping Requirements

None

H. Implementing Documents

I. Contact Information

Information Technology Policy Manager
Information Technology Division
[email protected]

J. Revision History

Remove this text after wiki tabs are set. End Policy.

DOCUMENT INFORMATION

Source Requirements Documents

• DOE Office of Science Program Cyber Security Plan, June 2010
• DOE O 205.1B, Department of Energy Cyber Security Program, CRD Section 6
• DOE O 1450.4, Consensual Listening-In to or Recording Telephone/Radio Conversations
• Clause I.124 – DEAR 952.204–77 Computer Security (AUG 2006), as modified by Contract No. DE-AC02-05CH11231, Appendix P, Section 2

Implementing Documents

Remove this text after wiki tabs are set. End Document Info.

ADDITIONAL INFORMATION

Key labels/tags:

• Information Technology,Information Management

New terms that need to be added to Glossary/Acronym list

Implementing Documents restricted to department/functional use

(optional – these will be used for tracing between requirements and associated documents)

Side bars:
Side bar 1 location (cite by Policy Section # - for example: Section D.2.a)
Sidebar 1 text:
Sidebar 2 location
Sidebar 2 text:
Sidebar 3 location
Sidebar 3 text:
Remove this text after establishing wiki tabs End Additional Information