(a) Monitoring. The UP SYSTEM or its constituent universities may monitor all use of the IT System at all times as may be necessary for its proper management. Activities on the IT System may be automatically and/or continuously logged. System and network administrators may examine these logs anytime. All logs shall be considered confidential.
(b) Access to Private Files. The UP SYSTEM may access all aspects of the IT System, including private files, without the consent of the user, in the following instances:
- When necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity, reliability, availability, confidentiality and efficiency of the IT System;
- When such access to the IT System is required to carry out essential business functions of the UP SYSTEM;
- When necessary to avoid disrepute to the UP SYSTEM;
- When there are reasonable grounds to believe that a violation of law or a significant breach of this Policy or any other policy of the UP SYSTEM may have taken place, and that access and inspection may produce evidence related to the misconduct;
- When required by law or administrative rules or court order; or
- When required to preserve public health and safety. The UP SYSTEM will access private files without the consent of the user only with the approval of the Chancellor except when an emergency entry is necessary to preserve the integrity, reliability, availability, confidentiality and efficiency of the IT System or to preserve public health and safety. The UP SYSTEM through the system and network administrators will document all instances of access without consent.
(c) Reporting Problems and misuse. Users must report to the appropriate system administrators any defects discovered in system accounting or system security, all known or suspected abuse or misuse of the IT System, and especially any damage to or problems with their facilities or files.
(d) User Cooperation. Users, when requested, are expected to cooperate with UP SYSTEM in any investigation of IT system abuse.
(e) Guidelines for Immediate Action.
- Notification. When any system administrator or member of the faculty or staff has persuasive evidence of abuse or misuse of the IT System, and if that evidence points to the activities or the files of an individual, he or she shall, within 24 hours of the discovery of the possible misuse, notify the Chancellor or his/her duly designated authority.
- Suspension. In such cases, the system administrator may temporarily suspend or restrict the user’s access privileges for a period not exceeding 72 hours. A user may appeal such suspension or restriction and petition for immediate reinstatement of privileges through the Chancellor or his/her duly designated authority. The Chancellor may extend the suspension for thirty (30) days.
- Removal. In addition, in such cases, the system administrator may immediately remove or uninstall from the IT System any material, software or hardware which poses an immediate threat to the integrity, reliability, availability, confidentiality and efficiency of the IT System or any of its components or if the use might be contrary to this Policy. The user shall be notified of the action taken. A user may appeal such removal and petition for reinstatement of the material within fifteen (15) days from removal.
(f) Investigation. The investigation and prosecution of academic and administrative personnel and students shall be in accordance with the regulations of the UP SYSTEM. The investigating committee, body or tribunal must have at least one member knowledgeable about IT. The actions the proper officer may undertake include but are not limited to the following:
- Extend the suspension or restriction of a user’s privileges for the duration of the investigation, or as may be deemed necessary to preserve evidence and protect the system and its users;
- Call and interview potential witnesses; and
- Summon the subject of the complaint to provide information.
(g) Filing of Criminal Charges. In cases where there is evidence of serious misconduct or possible criminal activity, the Chancellor shall file the appropriate criminal charges with the proper courts. Where proceedings have been instituted against a user for violation of this Policy, the Chancellor may indefinitely suspend or restrict the user’s access privileges for the duration of such proceedings.
(h) Cumulative Remedies. The procedures under this Policy shall not exclude any other remedy available to any injured or interested party under any relevant law, administrative rule or regulation, or other policy of the UP SYSTEM.
(i) External Legal Processes. The UP SYSTEM shall comply with any lawful order to provide electronic or other records or other information related to those records or relating to use of the IT System which may result from coercive processes in administrative investigations, or judicial actions or proceedings.