a. Complaints may be filed with Information Technology Services (ITS) via e-mail (complaints@calpoly.edu), telephone (805-756-7000), in writing, in person, or internally through routine monitoring and detection of a system/network problem or unusual event.
b. Complaints must be filed by the individual who was harmed or by the administrator of the network/system that was harmed by the use. Cal Poly will respond to requests for assistance from law enforcement accompanied by a court order, subpoena or search warrant.
c. Cal Poly will act on anonymous and third party complaints only in the event of a health and safety issue. Otherwise, the individual who has been harmed will be contacted and asked to file a formal complaint.
d. Suspected infractions occurring on external or departmental systems should be reported to the administrator responsible for the system or network. A copy should be sent to complaints@calpoly.edu for tracking.
e. System and network administrators, supervisors or offices receiving a complaint or discovering a possible violation should notify complaints@calpoly.edu.
f. ITS may also be contacted to report infractions when the complainant is unable, or it is not desirable, to do so through other channels.
a. The Vice Provost/Chief Information Officer or designee reviews each complaint to initially determine whether a potential policy or legal violation has occurred based on the evidence provided.
1) If not, the complainant is notified in writing as to why it does not constitute a violation and the incident will be closed.
2) If yes, but additional information is needed, the complainant will be asked to provide it, e.g., system logs, e-mail headers.
3) If yes, but the violation does not involve University resources, the complainant will be advised on what if any action they can take.
4) If the complainant fails to produce enough evidence to make a determination, they will be notified and the incident will be closed and filed for future reference.
b. If it appears a violation has occurred and sufficient evidence has been gathered, ITS will make an initial determination as to what happened, where it happened, and who initiated the activity. A trouble ticket will be created for each unique event to track and record the incident investigation and resolution.
1) If the event occurs on a centrally-managed system, ITS will investigate further and seek informal or formal resolution.
2) If the event occurs on a decentralized system, ITS will refer it to the appropriate system administrator to investigate and report back to ITS on any findings and actions taken. ITS may elect to take further action based on those reports. ITS may recommend preventative measures to avoid future violations.
3) If the event involves a breach of system security in which any individual’s unencrypted personal information was, or is reasonably believed to have been, disclosed to an unauthorized person, the breach should be reported immediately to ITS, the campus Information Security Officer, and the appropriate “user owner” as specified in Section E below.
c. A serious incident may result in simultaneous investigations and actions by ITS, non-ITS system/network administrators (e.g., ResNet), and law enforcement.
d. Public Affairs will be contacted to represent the University if the matter requires interaction with the public, media or other outside interests.
e. ITS will assist University officials with securing and interpreting evidence and conducting investigations when requested or legally required to do so.
a. Once ITS has determined that a violation has occurred and the nature of the violation is known, the Vice Provost/Chief Information Officer or designee will contact the alleged violator by e-mail, phone or in-person to informally resolve the complaint.
b. The individual will be advised of the nature of the complaint and the evidence collected and asked to provide an explanation.
c. If the individual does not appear to be responsible (e.g., a third party misused their account), ITS will counsel the user on how to prevent future occurrences of the specific problem and continue its investigation.
d. If a Cal Poly community member is responsible but the violation appears to be accidental or unintentional on their part, ITS will counsel the user on how to prevent future occurrences of the specific problem.
e. If they have no history of prior violations, they will generally be given a warning and advised that future violations will result in formal action.
f. Individuals with a prior history of violations or involved in a serious violation will be referred to the appropriate campus authority for formal action and resolution.
a. Formal actions, including disciplinary hearings, imposition of sanctions, and appeals will be handled through existing disciplinary/grievance processes for Cal Poly students, faculty and staff.
b. ITS will refer such incidents to the designated campus authority:
1) Students will be referred to the Office of Student Rights and Responsibilities
2) Staff will be referred to the appropriate Human Resources department (State, ASI, Foundation)
3) Faculty will be referred to Academic Personnel
c. It will be the VP/CIO's role and responsibility to advise and counsel the appropriate disciplinary authorities regarding the nature of the violation and its impact on campus resources, policy and practices, and to assist them in determining the seriousness of the offense if necessary.
d. The following individuals may also be contacted: sponsor, advisor, supervisor, department head/chair, dean, and/or program administrator/manager.
e. Matters involving misuse of institutional data will be referred to the campus Information Security Officer, and the affected “user owner,” i.e., the appropriate Human Resources office if employee information is involved and, if student information is involved, Academic Records.
f. Potential legal violations and threats to individual health and safety will be referred to the Cal Poly University Police.
g. ITS may confer with University Legal Counsel to help determine if a legal violation has occurred before referring the matter to law enforcement officials.
h. Based on their investigation, University Police may refer these to the local district attorney or the University for further action.
a. Any Cal Poly student, faculty, staff, consultant, contractor or any other individual having access to personal information (as defined in Appendix A) on campus computing resources shall immediately notify one or more of the following offices regarding any security breach in which an individual’s unencrypted personal information has been, or is reasonably believed to have been, disclosed to an unauthorized person:
b. The "user owner" is responsible for notifying affected individuals in writing, by email or other methods prescribed by California Civil Code 1798.29 (http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html). While California law only requires notification of California residents, it is the practice of the University to notify all affected individuals. Notification will be based on contact information currently on file with the Office of Academic Records (for students), applicable Human Resources offices (for employees), Procurement and Contract Services (for contractors), and/or other campus entity (for other individuals). A sample notification letter is available and will be provided by the campus Information Security Officer as the need arises.
c. The Vice Provost/Chief Information Officer or designee is responsible for contacting the CSU Office of General Counsel in accordance with the CSU “Records Access Manual.” ITS will confer with University Counsel and the campus Information Security Officer prior to making such contact.
d. The "user owner" or designee is responsible for notifying sub-users (e.g., outside contractors, consultants, etc.) regarding this requirement for disclosure and for obtaining, in writing, their agreement to comply with campus confidentiality-security and responsible use policies and practices. The “Cal Poly Computing Accounts for Non-Employees Statement” may be used for this purpose. This form is available online in PDF format at http://its.calpoly.edu/documents/documents/RUP-Non-Employee-Account-Form.pdf.
F. Final Disposition
a. ITS will notify the complainant as to the disposition of their complaint. This could range from advising as to why the matter does not constitute a violation to providing final notice that the matter has been resolved.
b. Specific information about the individual involved will not be disclosed.
c. ITS will record each incident and its resolution to track recurring violations and repeat offenders and to inform future changes to the policy/practices.
d. ITS will implement technical sanctions imposed by the designated campus authority as a result of a formal disciplinary process or as required by law.
Attachment: "Responsible Use Policy Implementation Practice and Procedures" (Matrix of Steps and Responsibilities) (Excel) (PDF)
Return to Responsible Use Policy
Updated 6/30/03