Interception of communications Standard Operating Procedure

Where a formal investigation (or similar) process is required in respect of a member of the University community, the University may, in limited circumstances, secure and access relevant data that is stored on its system.

This procedure relates to the release of information for the legitimate purpose of investigation. A formal investigatory process may be required further to the University’s own procedures or initiated by external agencies as appropriate.

If you are unsure concerning the extent of delegated authority, guidance must be sought from the Data Protection Officer on whether a matter requires consideration per the terms of this procedure.

Scope of data

Data that is subject to this procedure includes, but is not limited to:

• Telephone use
• Email content and traffic
• Internet Use
• Device Activity
• CCTV
• Physical tracking
• any other information (whether in hardcover or digital format) or data (including content, logs and/or metadata) stored on its system or IT infrastructure (whether hosted on third party servers, in-house or otherwise) concerning communications made using University systems may be reviewed further to the matter under consideration.

Responsibilities

The Data Protection Officer is responsible for the proper management of investigations under this procedure.

Members of University Executive Group are responsible for the approval of interceptions made under this procedure.

The Senior Information Governance Officer is responsible for the maintenance of this procedure.

Procedure

Where, in the view of one or more of the officers identified below, it is appropriate to secure data pending or further to an investigation, that data shall be secured by DTS and/or the School or Service which holds it.

Request to Access Information

The officers who may request that data is secured/released (or a Litigation Hold) are:

• Member of UEG
• Dean of School
• Director, Academic and Corporate Governance
• Director, DTS
• Director of Legal
• Senior Information Governance Officer

Any request to secure data must be made in writing and concern matters within the competence of that University officer.

Decision to approve or reject the request to Access Information

The decision to recommend the approval of a request to access information shall rest with the Data Protection Officer (or in whose absence the University Secretary subject to any conflicts)).

Any decision will be final but a request for review can be made should new material information be identified after a decision is made.

The decision to reconsider should be reviewed by a member of the Information Governance Team with a recommendation to the University Secretary based on legal advice.

The extent of the information released shall be proportionate and the minimum necessary for the purpose specified within the request with the interest of the data subject being kept paramount and balanced against the business purpose.

Any decision under this procedure must consider the University’s obligations under applicable law and regulation including but not limited to:

• Article 8 of the European Convention on Human Rights
• Data Protection Act 2018 and UK GDPR.
• Investigatory Powers Act 2016
• Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018
• Employment Law
• Academic Freedom

Related policies

University of Dundee policies which relate to and support this standard operating procedure are:

• Acceptable Use Policy
• Information Security Policy
• Data Protection Policy
• Privacy Notices