[Micronet] Who Owns Google and Box Files When An Employee Leaves

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Who Owns Google and Box Files When An Employee Leaves

Judy Dobry
Hi,

When an employee leaves, I know that it's general University policy that
we will not have access to their email account.  Just wondering what the
policy is vis a vis their box and Google Apps accounts.

Thanks,

Judy


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Tom Holub
The policy is actually schizophrenic. Almost all "electronic communications" are university records, by policy, and thus are owned by the university. But, we have a policy which states that no one can access "your" electronic communications without your consent, unless there is a life safety situation or if granted an exception at the Chancellor level.

What that means is that if someone leaves your office for another position on campus, you can't have access to their email. But if they leave the university entirely, they lose the protections of the Electronic Communications Policy, and the records revert to the university.

[My personal view: I don't think we should have a policy asserting individual privacy of @berkeley.edu emails or documents. They are mostly public records, so any such policy cannot help but be schizophrenic.]

From a policy perspective, it seems clear that Google Docs and Box constitute Electronic Communications under the ECP, and thus live in this schizophrenic zone. 

>From a technical perspective, Google Docs and Box documents are owned by individuals, and they go away when the owner's account goes away. It's a pain to transfer ownership, especially without the consent of the owner; I'm not sure if we have a mechanism to take ownership of these kinds of files.



On Tue, May 7, 2013 at 10:38 AM, Judy Dobry <[hidden email]> wrote:
Hi,

When an employee leaves, I know that it's general University policy that
we will not have access to their email account.  Just wondering what the
policy is vis a vis their box and Google Apps accounts.

Thanks,

Judy



-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.



--
Tom Holub ([hidden email], 510-642-9069)
Director of Computing, College of Letters & Science
101.D Durant Hall
<http://LSCR.berkeley.edu/>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Mike Friedman
On 2013-05-07 10:50, Tom Holub wrote:

[My personal view: I don't think we should have a policy asserting individual privacy of @berkeley.edu emails or documents. They are mostly public records, so any such policy cannot help but be schizophrenic.]

Tom,

You seem to be assuming that @berkeley.edu addresses are used only for University business.  What about retirees (e.g., like me :-) ) or alumni, for whom UCB is their personal email provider?  Which then raises the broader question of how does one achieve mail privacy at all these days?  Sure, I could go to another provider, like Google (non-UCB), Yahoo, Microsoft, etc.  Where the issue doesn't go away, but perhaps gets even worse.  And with the trend toward web mail, where we are expected to keep all our mail, indefinitely, on a server over which we have no control and also to process our mail on the server, the situation is exacerbated as, over time, the chances of unwarranted (in more than one sense of that word!) access to our mail increases. 

This goes beyond the issue of UC's privacy rules.  By outsourcing its email service to Google, UC has merely become a small part of a bigger problem.

Do you ever correspond with, for example, your Tax advisor, perhaps transmitting information you'd rather not be accessible to Google, etc, especially on an ongoing basis because your cumulative mail is stored with them?   Not to mention personal correspondence whose contents should be nobody's business but your own.

Despite some assurances to the contrary, how do we know that Google doesn't scan our mail for keywords?  (Hmm, didn't I hear something about that?). And, if so, should I expect a knock on my door if I happen to include words in my email like "bomb", "terrorist", "next week", in close proximity.  (Oops!).

You may think that you're not important enough for Google (or Microsoft, etc.) to care about you.  But should any large powerful entity, whether corporate or governmental, decide to favor you with its attention and your email provider chooses to cooperate, what is your recourse?

It used to be that the function of a mail service (e.g., the P.O.) was to transmit your mail, not hold on to it, and it was (is?) a serious crime for anyone but a postal inspector to open first class mail not addressed to him/her, without the intended recipient's permission.  What is the counterpart of that for email?  We've come a long way, and it's not looking good!   And with the push toward a decrease in postal service (because, after all, isn't everyone using email instead?), even the alternative of using first class mail may become more problematic.

But this is all to be accepted quietly, I guess, as Google "Glass" is on the way so we'll eventually have to act at all times as if we're under constant observation anyway!  Apropos recent discussions here about antique computer technologies still in peoples' possession, it occurs to me that we might as well add Orwell's telescreens to the heap.

Mike

-- 
Mike Friedman
[hidden email]
http://mikefberkeley.com


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Jonathan Felder-2
Assuming you aren't running your own email server, how can you trust any
mail provider?  Furthermore, even if you are confident your mail is
secure, how do you know that the people you correspond with have secure
mail providers?

If you have regular email correspondence that you'd rather someone else
didn't see, you should honestly consider encrypting it.

--
Jon

On 5/7/13 12:02 PM, Mike Friedman wrote:

> On 2013-05-07 10:50, Tom Holub wrote:
>
>> [My personal view: I don't think we should have a policy asserting
>> individual privacy of @berkeley.edu <http://berkeley.edu> emails or
>> documents. They are mostly public records, so any such policy cannot
>> help but be schizophrenic.]
>
> Tom,
>
> You seem to be assuming that @berkeley.edu addresses are used only for
> University business.  What about retirees (e.g., like me :-) ) or
> alumni, for whom UCB is their personal email provider?  Which then
> raises the broader question of how does one achieve mail privacy at all
> these days?  Sure, I could go to another provider, like Google
> (non-UCB), Yahoo, Microsoft, etc.  Where the issue doesn't go away, but
> perhaps gets even worse.  And with the trend toward web mail, where we
> are expected to keep all our mail, indefinitely, on a server over which
> we have no control and also to process our mail on the server, the
> situation is exacerbated as, over time, the chances of unwarranted (in
> more than one sense of that word!) access to our mail increases.
>
> This goes beyond the issue of UC's privacy rules.  By outsourcing its
> email service to Google, UC has merely become a small part of a bigger
> problem.
>
> Do you ever correspond with, for example, your Tax advisor, perhaps
> transmitting information you'd rather not be accessible to Google, etc,
> especially on an ongoing basis because your cumulative mail is stored
> with them?   Not to mention personal correspondence whose contents
> /should be/ nobody's business but your own.
>
> Despite some assurances to the contrary, how do we know that Google
> doesn't scan our mail for keywords?  (Hmm, didn't I hear something about
> that?). And, if so, should I expect a knock on my door if I happen to
> include words in my email like "bomb", "terrorist", "next week", in
> close proximity.  (Oops!).
>
> You may think that you're not important enough for Google (or Microsoft,
> etc.) to care about you.  But should any large powerful entity, whether
> corporate or governmental, decide to favor you with its attention and
> your email provider chooses to cooperate, what is your recourse?
>
> It used to be that the function of a mail service (e.g., the P.O.) was
> to /transmit/ your mail, not hold on to it, and it was (is?) a serious
> crime for anyone but a postal inspector to open first class mail not
> addressed to him/her, without the intended recipient's permission.  What
> is the counterpart of that for email? We've come a long way, and it's
> not looking good!   And with the push toward a decrease in postal
> service (because, after all, isn't everyone using email instead?), even
> the alternative of using first class mail may become more problematic.
>
> But this is all to be accepted quietly, I guess, as Google "Glass" is on
> the way so we'll eventually have to act at all times as if we're under
> constant observation anyway!  Apropos recent discussions here about
> antique computer technologies still in peoples' possession, it occurs to
> me that we might as well add Orwell's telescreens to the heap.
>
> Mike
>
> --
> Mike Friedman
> [hidden email]
> http://mikefberkeley.com
>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Mike Friedman
On 2013-05-07 17:31, Jonathan Felder wrote:
Assuming you aren't running your own email server, how can you trust any 
mail provider?  Furthermore, even if you are confident your mail is 
secure, how do you know that the people you correspond with have secure 
mail providers?

Jonathan,

This is, indeed, part of what I was getting at.  However, it's one thing for your email provider to possess your mail while in transmission.  But the trend toward web mail, where you're expected to keep your mail on the server all the time and work from there, exacerbates the problem.

If you have regular email correspondence that you'd rather someone else 
didn't see, you should honestly consider encrypting it.

Which is made more difficult when people stop using email clients that are local to them, so that at least the secret encryption keys are not also kept on the server.  I can't even make a private arrangement with individuals I know to do encryption, because they're using web mail (and who knows which browser, which may not have an encryption plug-in)?

Anyway, my main current concern is with the trend toward leaving mail on the server indefinitely.  As it happens, I don't do that.  I move all my bMail contents that I want to keep (which is a large percentage) to my Thunderbird client several times per day.  This even includes the bMail deleted "folder", and after doing this, I must select "Empty deleted", because merely moving mail out of "deleted" doesn't actually remove the mail from the server;  I suppose it just removes the "deleted" label.  "Empty deleted", however, does the trick.  (I also keep a Chrome window open on bMail just to make sure nothing's usually there, and also to keep an eye on my spam folder, in case I have to continue "training" the Google overly aggressive filters).

I know, it's a nuisance;  I spend about two or three times as long processing my Thunderbird mail since we went to bMail.  But at least, for the most part, my stuff exists at Google only from the time it's delivered until I process it.  I also realize that during this window, some of my stuff may wind up on a Google backup.  All of which just confirms what I've been talking about.

Mike


-- 
Mike Friedman
[hidden email]
http://mikefberkeley.com


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Lisa Ho
In reply to this post by Judy Dobry
In response to Judy's original question,

When an employee leaves, I know that it's general University policy that
we will not have access to their email account.  Just wondering what the
policy is vis a vis their box and Google Apps accounts.

an FAQ on accessing a former employee's electronic files (which would include Box and Google) is published at:


It states "While ECP (UC Electronic Communication Policy) provisions do not cover former employees, campus practice extends similar courtesies of consent or notice and least degree of invasiveness to former employees when possible."

As noted by Tom, 

The policy is actually schizophrenic. Almost all "electronic communications" are university records, by policy, and thus are owned by the university. But, we have a policy which states that no one can access "your" electronic communications without your consent, unless there is a life safety situation or if granted an exception at the Chancellor level.

University records are the property of the Regents. When an individual separates from the University, electronic files left behind (including any records from personal incidental use) revert to the University.  In practice, Berkeley limits access to those records as a courtesy because of broad (perhaps broader than appropriate) expectations of privacy and the co-mingling of personal and University records.  This courtesy practice could be changed with effort put into managing privacy expectations and co-mingling practices.

Responsibility for approval of non-consensual access requests was delegated by the Chancellor to the Associate Vice Chancellor & CIO.  

Regarding the schizophrenic characterization of policy in this area, I would reframe that as a natural result of allowing incidental personal use of University electronic resources (per the ECP), and balancing privacy interests against other competing University values and obligations.  For example, Attachment 1: User Advisories to the ECP, introduces section V.A. Privacy Limits with: "The privacy of electronic communications at the University is limited by: i) laws that protect the public's right to know about the public business; ii) policies that require employees to comply with management requests for University records in their possession..."


The UC Privacy and Information Security Steering Committee recently released their report that proposes (among other things) a Privacy Balancing Process as a "tool to guide policy-making and decision-making when competing privacy interests, University values, or obligations exist."  I will forward the report to Micronet once the steering committee has created additional context documents to aid review of their report.

Lisa

--

Lisa Ho
IT Policy Manager
University of California, Berkeley
510.642.2422

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Judy Dobry
Thanks Lisa this is very helpful.  It also points to a bigger need in this area: We really need a place for departmental files.  Just as we have personal filing cabinets and departmental filing cabinets, we need personal spaces on Box or Google for our own files but we also need a place for official files (the official terms of a fellowship, contracts, personnel files, etc.)

Right now the Hub offers one place for this type of data and we are using it.  But many of us would like to use Google and Box in the same way.  So I'm wondering if anyone has suggestions on how might we work collectively to make that a possibility.

Judy
On 5/10/2013 4:34 PM, Lisa Carol Ho wrote:
In response to Judy's original question,

When an employee leaves, I know that it's general University policy that
we will not have access to their email account.  Just wondering what the
policy is vis a vis their box and Google Apps accounts.

an FAQ on accessing a former employee's electronic files (which would include Box and Google) is published at:


It states "While ECP (UC Electronic Communication Policy) provisions do not cover former employees, campus practice extends similar courtesies of consent or notice and least degree of invasiveness to former employees when possible."

As noted by Tom, 

The policy is actually schizophrenic. Almost all "electronic communications" are university records, by policy, and thus are owned by the university. But, we have a policy which states that no one can access "your" electronic communications without your consent, unless there is a life safety situation or if granted an exception at the Chancellor level.

University records are the property of the Regents. When an individual separates from the University, electronic files left behind (including any records from personal incidental use) revert to the University.  In practice, Berkeley limits access to those records as a courtesy because of broad (perhaps broader than appropriate) expectations of privacy and the co-mingling of personal and University records.  This courtesy practice could be changed with effort put into managing privacy expectations and co-mingling practices.

Responsibility for approval of non-consensual access requests was delegated by the Chancellor to the Associate Vice Chancellor & CIO.  

Regarding the schizophrenic characterization of policy in this area, I would reframe that as a natural result of allowing incidental personal use of University electronic resources (per the ECP), and balancing privacy interests against other competing University values and obligations.  For example, Attachment 1: User Advisories to the ECP, introduces section V.A. Privacy Limits with: "The privacy of electronic communications at the University is limited by: i) laws that protect the public's right to know about the public business; ii) policies that require employees to comply with management requests for University records in their possession..."


The UC Privacy and Information Security Steering Committee recently released their report that proposes (among other things) a Privacy Balancing Process as a "tool to guide policy-making and decision-making when competing privacy interests, University values, or obligations exist."  I will forward the report to Micronet once the steering committee has created additional context documents to aid review of their report.

Lisa

--

Lisa Ho
IT Policy Manager
University of California, Berkeley
510.642.2422


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


-- 
Judy Dobry
Director, Systems
Graduate Division
309 Sproul Hall
UC, Berkeley
Berkeley, CA 94720
510 642 1131

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Patrick McGrath
Hi Judy, I totally agree with your perspective.

Unfortunately, the late breaking news is that Box has pushed Group functionality back on their roadmap to late this calendar year.  

The bright side of our situation is that our CalNet team is making considerable progress with early pilots of the Grouper program which will provide some of the functions necessary to manage a central definition of groups on campus.   This is being integrated with a number of Apps, and Box, Hub, CalShare and Google are all on the roadmap.    Dedra may be able to chime in here with additional details of the program, which is very exciting.

One of the central issues related to the group functionality is the impact of groups and content "ownership".   As you point out, many of our new services follow the individual sharing with individual model.  However, when the sharer leaves, what do we do with the content.   Our CalShare system works well as a group centric platform now, and the campus group service will help to make sure that we can subscribe to the same sets of groups instead of the ones resident in each application.   We addressed the Hub platform by having a definition of a departmental site, and any files contributed have their ownership transferred to the site.  That way, one of a number of site managers would always still have access to the content even if the original sharer left and was deprovisioned.   I hope i haven't made things quadruply complicated.

We do have a project also in process to develop some more standard policies and guidelines that will be applied our content platforms in accordance to the guidance Lisa provided earlier in the thread.   The idea is that a standard approach will make it easier for folks to more consistently do the right things with - especially - UCB content.  It's quite possible there may be slight deviations in what we can do to implement the policy for each platform, but thats the general idea.   We're looking at this for the content services provided by IST, Productivity Suite and ETS with the new learning management system.

Right now, i don't have a specific timeline when all this will happen, but will let you know as soon as possible.  In the mean time, the Hub option and Calshare are probably your best bets for departmental documents.   NAS-based storage from IST may also be an option for you as well, as it's managed through active directory.   However, note that it is storage rather than a content system which are generally stronger for managing, searching and finding document related materials.

Let me know if this makes no sense at all and I can try to elaborate.

Have a great weekend.

Best, 

Patrick   





On May 10, 2013, at 4:51 PM, Judy Dobry <[hidden email]> wrote:

Thanks Lisa this is very helpful.  It also points to a bigger need in this area: We really need a place for departmental files.  Just as we have personal filing cabinets and departmental filing cabinets, we need personal spaces on Box or Google for our own files but we also need a place for official files (the official terms of a fellowship, contracts, personnel files, etc.)

Right now the Hub offers one place for this type of data and we are using it.  But many of us would like to use Google and Box in the same way.  So I'm wondering if anyone has suggestions on how might we work collectively to make that a possibility.

Judy
On 5/10/2013 4:34 PM, Lisa Carol Ho wrote:
In response to Judy's original question,

When an employee leaves, I know that it's general University policy that
we will not have access to their email account.  Just wondering what the
policy is vis a vis their box and Google Apps accounts.

an FAQ on accessing a former employee's electronic files (which would include Box and Google) is published at:


It states "While ECP (UC Electronic Communication Policy) provisions do not cover former employees, campus practice extends similar courtesies of consent or notice and least degree of invasiveness to former employees when possible."

As noted by Tom, 

The policy is actually schizophrenic. Almost all "electronic communications" are university records, by policy, and thus are owned by the university. But, we have a policy which states that no one can access "your" electronic communications without your consent, unless there is a life safety situation or if granted an exception at the Chancellor level.

University records are the property of the Regents. When an individual separates from the University, electronic files left behind (including any records from personal incidental use) revert to the University.  In practice, Berkeley limits access to those records as a courtesy because of broad (perhaps broader than appropriate) expectations of privacy and the co-mingling of personal and University records.  This courtesy practice could be changed with effort put into managing privacy expectations and co-mingling practices.

Responsibility for approval of non-consensual access requests was delegated by the Chancellor to the Associate Vice Chancellor & CIO.  

Regarding the schizophrenic characterization of policy in this area, I would reframe that as a natural result of allowing incidental personal use of University electronic resources (per the ECP), and balancing privacy interests against other competing University values and obligations.  For example, Attachment 1: User Advisories to the ECP, introduces section V.A. Privacy Limits with: "The privacy of electronic communications at the University is limited by: i) laws that protect the public's right to know about the public business; ii) policies that require employees to comply with management requests for University records in their possession..."


The UC Privacy and Information Security Steering Committee recently released their report that proposes (among other things) a Privacy Balancing Process as a "tool to guide policy-making and decision-making when competing privacy interests, University values, or obligations exist."  I will forward the report to Micronet once the steering committee has created additional context documents to aid review of their report.

Lisa

--

Lisa Ho
IT Policy Manager
University of California, Berkeley
510.642.2422


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


-- 
Judy Dobry
Director, Systems
Graduate Division
309 Sproul Hall
UC, Berkeley
Berkeley, CA 94720
510 642 1131

-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Who Owns Google and Box Files When An Employee Leaves

Graham Patterson
In reply to this post by Judy Dobry

Traditionally this has been the domain of the file server, though these
days it probably makes economic sense to buy Network Attached Storage
(NAS) space from the IST storage group rather than buy your own server
if all you need is organized storage.

It takes a little planning to come up with the right set of access
groups and file organization, but the effort is worth it. The most
common mistake is to replicate the org tree rather than look at which
sets of people need access to which files. It is largely done by group
membership, not individual accounts. Some experienced help for setup,
and a little ongoing account maintenance (plus backup) is all it needs.

In my experience the people who get the most out of setting up a file
server are those with a plan or data hierarchy in mind. A file system is
a file system, however it is managed. The 'clothes in a heap in the
middle of the floor' model won't cut it 8-)

If you need departmental space owned and managed by the department, not
an individual, that's the way to go.


Graham

On 5/10/2013 4:51 PM, Judy Dobry wrote:

> Thanks Lisa this is very helpful.  It also points to a bigger need in
> this area: We really need a place for departmental files.  Just as we
> have personal filing cabinets and departmental filing cabinets, we need
> personal spaces on Box or Google for our own files but we also need a
> place for official files (the official terms of a fellowship, contracts,
> personnel files, etc.)
>
> Right now the Hub offers one place for this type of data and we are
> using it.  But many of us would like to use Google and Box in the same
> way.  So I'm wondering if anyone has suggestions on how might we work
> collectively to make that a possibility.
>
> Judy
> On 5/10/2013 4:34 PM, Lisa Carol Ho wrote:
>> In response to Judy's original question,
>>
>>     When an employee leaves, I know that it's general University
>>     policy that
>>     we will not have access to their email account.  Just wondering
>>     what the
>>     policy is vis a vis their box and Google Apps accounts.
>>
>>
>> an FAQ on accessing a former employee's electronic files (which would
>> include Box and Google) is published at:
>>
>>     https://security.berkeley.edu/content/can-i-access-former-employees-email-or-files
>>
>>
>> It states "While ECP (UC Electronic Communication Policy) provisions
>> do not cover former employees, campus practice extends similar
>> courtesies of consent or notice and least degree of invasiveness to
>> former employees when possible."
>>
>> As noted by Tom,
>>
>>     The policy is actually schizophrenic. Almost all "electronic
>>     communications" are university records, by policy, and thus are
>>     owned by the university. But, we have a policy which states that
>>     no one can access "your" electronic communications without your
>>     consent, unless there is a life safety situation or if granted an
>>     exception at the Chancellor level.
>>
>>
>> University records are the property of the Regents. When an individual
>> separates from the University, electronic files left behind (including
>> any records from personal incidental use) revert to the University.
>>  In practice, Berkeley limits access to those records as a courtesy
>> because of broad (perhaps broader than appropriate) expectations of
>> privacy and the co-mingling of personal and University records.  This
>> courtesy practice could be changed with effort put into managing
>> privacy expectations and co-mingling practices.
>>
>> Responsibility for approval of non-consensual access requests was
>> delegated by the Chancellor to the Associate Vice Chancellor & CIO.
>>
>> Regarding the schizophrenic characterization of policy in this area, I
>> would reframe that as a natural result of allowing incidental personal
>> use of University electronic resources (per the ECP), and balancing
>> privacy interests against other competing University values and
>> obligations.  For example, Attachment 1: User Advisories to the ECP,
>> introduces section V.A. Privacy Limits with: "The privacy of
>> electronic communications at the University is limited by: i) laws
>> that protect the public's right to know about the public business; ii)
>> policies that require employees to comply with management requests for
>> University records in their possession..."
>>
>> http://www.ucop.edu/ucophome/policies/ec/html/pp081805ecpatt1.html
>>
>> The UC Privacy and Information Security Steering Committee recently
>> released their report that proposes (among other things) a Privacy
>> Balancing Process as a "tool to guide policy-making and
>> decision-making when competing privacy interests, University values,
>> or obligations exist."  I will forward the report to Micronet once the
>> steering committee has created additional context documents to aid
>> review of their report.
>>
>> Lisa
>>
>> --
>>
>> Lisa Ho
>> IT Policy Manager
>> University of California, Berkeley
>> 510.642.2422
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
>
> --
> Judy Dobry
> Director, Systems
> Graduate Division
> 309 Sproul Hall
> UC, Berkeley
> Berkeley, CA 94720
> 510 642 1131
>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>

--
Graham Patterson, Systems Administrator
Lawrence Hall of Science, UC Berkeley   510-643-2222
"...past the iguana, the tyrannosaurus, the mastodon,
the mathematical puzzles, and the meteorite..." - directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.