(Effective Date February 14, 2025)

At Spalding University, we prioritize the privacy and security of our users' personal data. This privacy policy outlines what data and activities administrators can access and monitor on electronic mail, OneDrive, Microsoft Teams and Zoom platforms. While these platforms are used to facilitate collaboration and communication, there may be certain sensitive data that administrators can access in the course of managing and maintaining accounts and services. This policy aims to inform users about what administrators can view, and how their privacy is protected.

Electronic Mail

Spalding University provides electronic mail (email) services for faculty, staff and students for legitimate University-related activities. The University has a subscription for email service with Microsoft. The University has a Business Associate Agreement with Microsoft to protect personal information and ensure compliance with the Family Education Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA).

Email accounts are created automatically when employees are hired, or students are enrolled at the University. The University Information Technology Department maintains and supports University email with support from Microsoft and third-party vendors. The staff in Information Technology, Microsoft and third-party vendors do not have access to individual email accounts of faculty, staff or students, and do not have access to the contents of email messages. To ensure that only the individual owner of an email account has access to view their emails, the University utilizes Microsoft’s Privileged Access Management (PAM) solutions to detect any unauthorized access to an email account. PAM prevents access to emails by IT administrator accounts without approval from the University President.

For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the President may authorize access to faculty, staff, or student email in certain circumstances including, such as:

1. Situations involving the health or safety of people or property.
2. Possible violations of Spalding codes of conduct, regulations, or policies.
3. Possible violations of state or federal laws; subpoenas and court orders.
4. Other legal responsibilities or obligations of Spalding University.
5. The need to locate information required for business continuity.

To ensure compliance with this policy Spalding University has worked with Matrix Integration to set up monitoring and approvals for any email access by an IT administrator account. IT administrators will need to submit an online request for access to an email account, access will be limited in duration and require the administrator to provide a written justification. The request will be sent to the President for approval. Once approved, the IT administrator will be required to use multi-factor authentication to login to the account and complete the task of retrieving emails, updating permissions on a mailbox, etc. All activities of the account will be logged to ensure that only approved actions are taken. Matrix Integration will audit compliance with this policy monthly and share results with the University President, Director of Information Technology, Chief Information Officer.

E-mails containing information classified as protected should use encryption or password protect the document as an attachment.

To prevent malicious emails, phishing and support users in troubleshooting email delivery, designated staff in Information Technology have access to certain data elements of email messages. These data include: (a) the identity and address of the authenticated sender, (b) the address of the recipient, (c) the size of the message, (d) the transmission time, (e) the headers of the email, (f) the subject of the message, and (g) certain features that are used to identify spam.

OneDrive

IT Administrators do not have access to individual OneDrive folders. The University Information Technology Department maintains and supports University OneDrive with support from Microsoft and third-party vendors. The staff in Information Technology, Microsoft and third-party vendors do not have access to individual OneDrive folders or documents belonging to faculty, staff or students, unless those are explicitly shared by the user. To ensure that only the individual owner of a OneDrive Folder has access to view their files, the University utilizes Microsoft’s Privileged Access Management (PAM) solutions to detect any unauthorized access to an email account. PAM prevents access to emails by IT administrator accounts without approval from the University President.

For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the President may authorize access to faculty, staff, or student OneDrive folders in certain circumstances including, such as:

1. Situations involving the health or safety of people or property.
2. Possible violations of Spalding codes of conduct, regulations, or policies.
3. Possible violations of state or federal laws; subpoenas and court orders.
4. Other legal responsibilities or obligations of Spalding University.
5. The need to locate information required for business continuity.

To ensure compliance with this policy Spalding University has worked with Matrix Integration to set up monitoring and approvals for access to any OneDrive folders by an IT administrator account. IT administrators will need to submit an online request for access to OneDrive folders, access will be limited in duration and require the administrator to provide written justification. The request will be sent to the President or the President’s designees for approval. Once approved, the IT administrator will be required to use multi-factor authentication to login to the account and complete the task of retrieving or sharing files. All activities of the account will be logged to ensure that only approved actions are taken. Matrix Integration will audit compliance with this policy monthly and share results with the University President, Director of Information Technology, Chief Information Officer.

E-mails containing information classified as protected should use encryption or password protect the document as an attachment.

Microsoft Teams and Zoom Meetings

As part of their administrative responsibilities, IT administrators have access to certain tools and permissions on Microsoft Teams and Zoom to ensure the smooth operation of the platforms and resolve technical issues. Administrators may have access to the following information:

Microsoft Teams IT Administrator Access

User Activity Logs: Administrators can view activity logs that include when users log in and out, their usage patterns, and which channels or teams they access.

Meeting Information: Administrators can view meeting metadata, such as the meeting title, date, time, and duration, but do not have access to the content of private meetings unless they are specifically invited to the meeting.

Chats and Files: Administrators cannot view private chats or direct messages between users, or files exchanges in chats. Teams chat files are stored in individual user’s OneDrive accounts and access would follow the procedures for OneDrive files. Files shared in a Teams Channel or on a Teams Site are stored in SharePoint and are accessible to SharePoint administrators or members of the Teams group.

User Profiles: Administrators can view user profile information, such as name, email, department, role, and organizational details, but cannot see sensitive personal details like personal messages or private documents unless shared in a team or channel.

Zoom IT Administrator Access

Meeting Information: Administrators can view meeting metadata, such as meeting titles, IDs, times, durations, and participant lists. However, administrators do not have access to the meeting content unless granted permission by the meeting host.

User Activity: Administrators can monitor user activity, such as when users join or leave meetings, and their participation in webinars or breakout rooms, as well as the duration of their participation.

Recording Access: If a meeting or webinar is recorded to the cloud, administrators have access to the recording and transcript. However, administrators cannot access private, unrecorded meetings unless explicitly provided the recording by the meeting host.

Chat and Messaging Logs: Administrators may have access to chat logs within a meeting, if the meeting was recorded to the cloud and the messages are recorded, but private messages between users during a meeting or in direct Zoom messaging are not accessible to administrators.