Handbook of Operating Procedures > Series 700 Information Resources > 7.1.3 Electronic Emergency Access

7.1.3 Electronic Emergency Access

A. Purpose

To establish a policy and procedure for the University to ensure that emergency access procedures are in place to protect electronic information in the event of an emergency.

B. Persons Affected

All individuals that are responsible for assigning access to The University of Texas at Tyler (the "University") Information Resources and individuals charged with Information Resource Security.

C. Definitions

Workforce Member - An employee, volunteer or other person whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University, including, but not limited to, full and part time employees, affiliates, associates, students, volunteers and staff from third party entities who provide service to the University. 

D. Policy

The University will ensure standard criteria for authorization and sufficient documentation is established for granting access to electronic information based on the business needs of the emergency access request. Standard criteria should include identifying the workforce member, the electronic information owner, why emergency access is required, duration of request, approval by the electronic information owner, and additional approval by Human Resources and/or Legal Affairs.

When business needs require emergency access to any electronic information – regardless of electronic storage mechanism – and the information owner is unavailable, the Chief Information Officer (CIO) or designee will review the request and make recommendations to Human Resources and/or Legal Affairs.

Scenarios of emergency access include, but are not limited to, the following:

• Administrative leave 
• An employee leaves unexpectedly for a prolonged absence 
• An employee is suddenly terminated for cause 
• An employee is incapacitated for an extended period of time 
• Access to EHR due to network or system outage 
• Access in response to a court order or other compulsory legal process 
• Account access to an unavailable employee's email. 

When available, the information owner(s) specified in the Business Continuity Plan should also authorize the emergency access request.

Access logs will be maintained by IT and made available to Information Security in order to monitor which workforce members have been granted emergency access to electronic information. An emergency access log should contain:

• Date and time access was granted 
• Workforce member name and unique user ID 
• Access rights granted (system, data) 
• Nature of emergency 
• Name of person(s) authorizing emergency access 
• Expiration date of required access.

Information Security will monitor access logs monthly to ensure emergency access does not extend past the expected expiration date.

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries, a termination of employment relations in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University Information Resources access privileges, civil, and criminal prosecution.

E. References

IHOP Vendor Representative

IHOP Administrative/Special Access

45 CFR 164.312(a)(1)

UTS165 Information Resources Use and Security Policy

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.