Access to stored electronic files and voice and data communications on IU computing devices is governed by Indiana University policy IT-07 Privacy of Electronic and Information and Information Technology Resources.
IT-07 specifies that access to any electronically stored information is limited to the person to whom the account on which the information is stored has been assigned, to the person from whom a communication originated or to whom it was sent, or the person to whom the device containing the files has been assigned, except for specifically defined exceptions.
Exceptions comprise access whose purpose is “ensuring the continued confidentiality, integrity, and availability of university systems and operations; securing user and system data; ensuring lawful and authorized use of university systems; providing appropriately de-identified data for institutionally approved research project; and responding to valid legal requests or demands for access to university systems and records” (IT-07, p. 1).
The policy contains a statement about the extent to which users of IU information technology resources can expect privacy of data (p. 4):
Expectation of Privacy - Although the university seeks to create an atmosphere of privacy with respect to information and information technology resources, users should be aware that because IU is a public institution, and members of the University community are engaged in institutional and academic research projects that may require access to certain de-identified user data, and because the university must be able to ensure the integrity and continuity of its operations, use of the university's information resources cannot be completely private. For example, in addition to the types of permissible access described above, when users engage in incidental personal use of their university email accounts, the contents of their email may be subject to disclosure in response to requests under Indiana's "open records" law. Therefore, users of Indiana University information technology resources are hereby notified that they should have no expectation of privacy in connection with the use of those resources beyond the provisions of this policy. Users should also be aware that although the university takes reasonable measures to ensure the privacy of university information technology resources, the university does not guarantee privacy.
The policy also specifies sanctions for violating these policies and provides further information on sanctions in IT-02 Misuse and Abuse of Information Technology Resources.
Additional information about the interpretation of IT-07 is available in a FAQ.