Interception of communications Standard Operating Procedure

Scope

Where a formal investigatory (or similar) process is required, the University may, in limited circumstances, secure relevant data.

Subject to approval per the procedure below, the content, logs, metadata and/or other administrative information concerning communications made using University systems may be reviewed further to the matter under consideration.

An investigatory process may be required further to the University’s own procedures or initiated by external agencies as appropriate.

Matters managed under the normal delegated authority of Deans and/or Directors (such as the routine misuse of computing facilities or recovery from data incidents) are outwith the scope of this procedure.

When in doubt concerning the extent of delegated authority, guidance must be sought from the Director of Academic and Corporate Governance and/or the Director of LLC&CI on whether a matter requires consideration per the terms of this procedure.

Responsibilities

The Secretary of the University, Director of LLC&CI and/or Director of Academic and Corporate Governance are responsible for the proper management of investigations under this procedure.

Members of University Executive Group are responsible for the approval of interceptions made under this procedure.

The Head of Information Governance is responsible for the maintenance of this procedure.

Procedure

Where, in the view of one or more of the officers identified in 3.2, it is appropriate to secure data pending or further to an investigation, that data shall be secured by IT and/or the School or Service which holds it.

The officers who may request that data is secured are:

• Secretary of the University
• Vice Principal, Provost
• Vice Principal, Research
• Vice Principal, Education
• Director of People
• Director, Academic and Corporate Governance
• Director, LLC&CI
• Director of Legal
• The Head of Information Governance

Any request to secure data must be made in writing and concern matters within the competence of that University officer.

The request to secure data shall be made to the Director IT and the relevant School Manager/Director.

Once secured, the decision on whether to proceed with the interception or review of communications or their associated metadata shall be considered by the Secretary of the University (or the Director of LLC&CI and/or the Director of Academic and Corporate Governance in the Secretary’s absence).

The Secretary of the University shall consult with any such officers they deem appropriate including, but not limited to, Legal, Information Governance, Academic and Corporate Governance and the President of DUSA.

The decision to recommend the approval of interception/review shall rest with the Secretary of the University (or the Director of LLC&CI and/or the Director of Academic and Corporate Governance in the Secretary’s absence). Two members of University Executive Group unconnected with the matter under investigation shall indicate their agreement with the detail and extent of interception/review suggested, upon which the proposal will be deemed approved.

Should the Secretary deem interception/review inappropriate following consultation, or fail to secure the agreement of two members of University Executive Group unconnected with the matter, their decision (or that of the Director of LLC&CI and/or the Director of Academic and Corporate Governance in the Secretary’s absence) shall be final. Should additional information be identified subsequently, this decision may be reviewed.

Interception/review shall only be approved where the reasons accord with those lawful purposes detailed in the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018.

The extent of interception/review shall be proportionate and the minimum necessary for the purpose specified.

Change control