The University may access and disclose employee or student individual content when the University deems a legitimate and appropriate business need and those instances are documented and approved by the appropriate authorities. In those instances, if it is necessary to access individual content on IT resources without the consent of an individual currently affiliated with the University, approval must be obtained from the appropriate authority or his or her designee.
Individual content may be accessed through automated information security systems (such as antivirus software, intrusion detection systems, and/or data loss prevention systems) for the purposes of detecting and responding to threats to campus information resources. Excluding client antivirus or antimalware software, the campus IT security principal must authorize all automated information security systems that systematically access individual content. Automated information security systems will log only individual content needed to respond to and identify incidents.
Other than backups for disaster recovery purposes CU does not systematically archive contents of email communications. CU, at the direction of University Counsel, arranges ongoing archival of email accounts as required to meet legal requirements.