Requesting Access to Accounts of Employees on Leave

Introduction

This article outlines the process for requesting access to active accounts used by an employee that is on leave from their position at the University of Alberta. This includes access to email, G Suite (Gmail and Drive), computer files, network shares, and any other data repositories.

Due to Alberta's privacy legislation, a rigorous approval process is required to ensure compliance, as these accounts may contain an individual's personal information. Please be aware that this process can take several weeks. Where possible, departments should arrange for employees to clean up personal information and transfer all work-related documents and ownership to the appropriate shared drives or accounts before the start date of their leave.

For requests to accounts where the employee no longer works at the university, please see the appropriate knowledge base article.

Applicability

This process is applicable to Authorized Approvers at the University of Alberta whose departments need to access the account of an employee on any type of leave. Any misuse of this procedure is strictly prohibited and may result in disciplinary action under the University's Information Technology Use and Management Policy.

The Approval Process

Conditions for Approval

Access will only be granted if the following conditions are met:

Approval from a Dean, Director, or Chair (or Assistant Dean, Director, or Chair) from the department where the employee works. If a Dean, Director, or Chair is the one making the request, a one-over approval is required.
Approval from the Office of the Chief Information Security Officer.
The request must be specific.
- Example of an approvable request: "The employee was working on Project X, and we need emails sent about Project X."
- Example of a request likely to be rejected: "The employee is on leave, and we want to see if there might be something we need."
Requests MUST include written or photographic evidence (such as screenshots of text messages or records of phone calls) that the department has tried a minimum of three times to reach out to the affected employee requesting that they transfer the documents or emails required for the business functions of the university to continue.

Procedures for Submitting a Request

Once you are ready to proceed, please send an email to the Office of the Chief Information Security Officer at ciso@ualberta.ca with the following information:

CCID or Employee ID number of the affected employee
Name of the appropriate Dean, Director, or Chair (or Assistant Dean, Director, or Chair) for the approval
Brief description of exactly what information is required that exists in the employee’s account and how the lack of this information is negatively impacting the department
Attach evidence of the three attempts to reach out to the individual

Please do not include specific details of the individual’s medical status. This information is not required for the CISO to approve the request.

Additional Considerations

For information in the employee’s email inbox, we will delegate the email account to a representative from the Office of the CISO, and will work with the department to forward or save the relevant documents

As soon as the documents are retrieved, the delegation will be removed.

To retrieve or change ownership of files in Google Drive, please note that the affected employee will lose access to their account and will need to phone in to the IST Service Desk to regain access.

If the files are shared with an active employee in the department, it is preferred that the department make a copy of the needed files, store them in a Google Shared Drive and continue work from these new files where possible
Consideration should be given to the employee regarding the hardship that they may experience with a temporary loss of access to their account, particularly for those on medical leave where phoning in to the Service Desk may be difficult and the employee may need their email to converse with Homewood Health or other medical service providers.

For information stored in a department file share, the Office of the CISO will work with the IST server teams to retrieve the documents without needing to directly access the account.

Terms of the Request

When you submit a request, you agree to these terms:

Limit Access to Business Records: Access and disclosure must be limited to University business and records only. Sensitive communications, such as those between the employee and Homewood Health or other medical providers, are off-limits.
Create a Search List: It is prudent to have a concise list of the items you need to search for. This documentation can be helpful if challenges arise later.
Temporary Access: Account access should be limited to the time needed to retrieve the required information. An auto-reply can be set up to redirect business inquiries.

Your unit's need to ensure and maintain continuity is reasonable from a business and operations perspective. That said, please be extremely prudent, cautious, and careful when gaining control of and accessing information from your employee's UAlberta accounts.

We have and are currently facing grievances, complaints, and other challenges where employees suggest the University overstepped its bounds and inappropriately conducted unauthorized disclosures and access to personal and other non-University information and records.

Please ensure your unit's accesses and disclosures are limited to only University business and records. In addition, other sensitive communications, such as those between a employee and their AASUA/NASA or other representative, are off-limits. All other personal information and records are also off-limits. If the repository is heavily commingled with business and personal records, discussion with the IPRM Office or CISO may be needed.

Preferably and where possible, have a concise list of those items your unit needs and will search for. Retain this list with other associated search details. Such documentation provides an indication of the transactions conducted and the information sought. This documentation is useful should subsequent challenges or issues arise. Again, we recognize in cases of business continuity, the practice of developing a list for all and every information item sought may not be practical, but some process around what is accessed and why it is prudent is required.

The Information Privacy and Records Management Office (IPRMO) is aware of these types of requests, as we work together on matters concerning the University's information management, privacy, and security requirements and oversight.

Keywords: request, ccid, email, gmail, account, documents, file, share, home, drive, local, computer, user, access, ATIA,POPA, files, folder, google, gdocs, docs, approval, employee, leave, form, information access requests, medical, leave of absence,