This article answers FAQs about REG 08.00.02 — Use of IT Resources. See the Help and Supersedence section at the end of this page for additional guidance.

1. Who does this regulation apply to?
   • This regulation applies to all students, faculty, staff — as well as anyone with access to IT resources at NC State.
   • Students may have less scope for this regulation than faculty and staff.
2. What are IT resources?
   • IT resources, as defined in Policy 08.00.01, include all information technology resources used for university purposes, including any activity related to work or academic pursuits, regardless of whether owned by the university, a third party or personally. This includes hardware, software, electronic networks, systems, computers, devices, phones, applications, data, and files.
3. What are NC State’s privacy policies?
   • The university’s privacy policies are included in multiple regulations, rules, procedures and a university privacy statement.
   • Examples of PRRs or written procedures with privacy obligations include but are not limited to:
     • REG 01.25.09 – Privacy/Confidentiality, Release and Security of Protected Health Information
     • REG 11.00.01 – Family Educational Rights and Privacy (FERPA)
     • REG 08.00.03 – Data Management Regulation
     • RUL 02.66.04 Student Identification in Distance Learning
4. What are some external privacy obligations the university is required to meet?
   • NC Law Governing Privacy of Employee Personal Records (N.C.G.S. Chapter 115C Article 21A)
   • Personnel Records Act (G.S. 126-22 et seq.)
   • Family Educational Rights and Privacy Act (FERPA) Regulation (20 U.S.C. 1232g)
   • Privacy Act provisions governing social security numbers (31 CFR § 1.32)
   • Health Insurance Portability and Accountability Act (HIPAA)
   • Gramm-Leach-Bliley Act (GLBA)
   • European Union General Data Protection Regulation (GDPR)
5. Is my personal device covered by this regulation?
   • Yes (when the device is being used for university purposes). Under the definition of an IT resource, the regulation applies to your personal device when it is used for university purposes or accessing university IT resources, such as NC State networks (internet and intranet). See FAQs 6 & 7 for additional information.
6. When would the university need to search my personal device for university data?
   • Only under limited circumstances, such as during discovery connected with a lawsuit or subpoena, a public records request, or when cybersecurity incidents are being investigated, and only if the university has no other means to access university data. Details are listed in the regulation.
   • In this scenario, the preferred response is not to store university data on a personal device or move it to a university-approved location, so that your personal device does not need to be accessed.
7. Is the university monitoring my personal device’s personal data when I use it with the Duo and Google Workspace apps (Calendar, Drive, Gmail, etc.)?
   • No, the university is not monitoring activity on your personal device under those circumstances. Some basic device connectivity information is logged as part of the software's functionality, such as license authentication and network access rights.
8. If my personal device is on the university’s network, is that device being monitored?
   • Only if you are breaking the law or violating policies or regulations. The university uses network and security technologies to monitor the network and connected devices for malicious activity (for example, infected devices or devices sending spam). In cases like these, the university will make reasonable attempts to contact the owner to discuss the issue and may also block the device on the network until the issue is remediated.
9. Is it OK for me to conduct any personal business on my university-provided device?
   • Yes, occasional, inconsequential personal use of university-owned IT resources is permitted, subject to the limitations outlined in the regulation.
10. Can I use my personal email to conduct university business?
    • No, university business must be conducted using a university email account.
    • Use of personal email to conduct university business will make your personal email account subject to the North Carolina public records laws and other requirements.
    • Auto-forwarding of your ncsu.edu email to a personal account is not permitted and may result in disciplinary action.
11. Can I use university IT resources for commercial purposes?
    • The use of IT resources for commercial purposes is generally prohibited unless it is for authorized university business and includes an option for recipients to opt out of future communication.
12. Is my personal information subject to the public records law?
    • Under the public records law, only records created or received while transacting university business are public records.  In order to avoid confusion, you should clearly delineate personal use from work. The best practice is to avoid storing personal information on a university-owned device.  See REG 04.00.02 – Public Records Requests for more details.
13. What do I need to know about data management?
    • The best resource for understanding data management is the Data Management Framework website, which helps explain individuals’ roles and responsibilities, data classification and data storage requirements.
14. Are there exceptions to this regulation?
    • Potentially: Formal exception requests must be submitted by completing the IT Security Exception Request form.
15. What happens if I violate this regulation?
    • Non-compliance and violations are covered in the POL 08.00.01 – Use of IT Resources Policy. Violations will result in appropriate action depending on your affiliation with and the degree of impact on the university.
    • To protect the university’s interests, the Chief Information Security Officer (CISO) may opt to suspend a user’s account or isolate a user’s IT resource.
16. What should I do if I suspect a violation has occurred?
    • Report it. You can find information on how to report at go.ncsu.edu/securityincident.
17. As a student, when is my email subject to the public records law?
    • Student email could be subject to the public records law if the student is a university employee (including through the work-study program) and is transacting university business through their email.

Help and Supersedence

This FAQ is intended to provide clarifying answers to some common questions.

Help:  If you have a question not addressed in this FAQ, please send an email with your question to oit_isra@help.ncsu.edu.

Supersedence: If there is a conflict between the FAQ and the regulation, the regulation will supersede the FAQ.