Third party access to users' accounts and data

2010/07/16 by CSO. Revised 2019/06/12 by CSO

This rule describes the procedures for accessing the restricted data (e.g. files or Web pages) of users of the CERN computing facilities whose individual consent cannot be obtained, because they are e.g. absent from CERN, have left CERN or are deceased, where professional or operational needs require access to such data. It is a subsidiary rule of use, in accordance with paragraph 8(a) of the Operational Circular N°5.

Authorization for third party access is granted by the CERN Computer Security Officer (CSO) or the Head of the IT Department.

Procedure to obtain third party access to users' accounts and data

Access to restricted data can only be requested by the supervisor of the data owner:

  • The requestor shall submit a request for access to the CSO (i.e., indicating the reasonable efforts made to contact the data owner in order to obtain his/her direct authorization;
  • The CSO shall consider the request on the basis of all available information and shall verify the hierarchical structure of the third party via HRT or PIE;
  • If access is granted, the CSO shall inform the requestor, the Head of the IT Department, and, if an email address has been registered, the data owner. Thereafter, the CSO shall immediately authorize access to the files concerned.

This procedure shall not govern access to folders that are clearly marked as private (i.e., the ~/private-folder on AFS, EOS or CERNbox, or the "My Documents" folder on DFS) or mailboxes, nor the request for password changes by a third party. Access to such data requires the express written authorization of the Director-General of CERN via a request from the CSO. Upon authorization, access to the private data will be conducted in the presence of the CSO.