Clearly the Principal has to be very careful and one of the first difficulties is that someone has to make a decision as to whether the material involved is illegal or not. If it is obviously illegal (such as child pornography images) then the police should be involved as soon as possible. A local police liaison officer should be able to provide guidance on appropriate actions to take once illegal materials are discovered on college computers. The situation is also likely to be a breach of college disciplinary rules and has to be handled as would any other breach of discipline.
Where the materials are not illegal and if the institution has a clear acceptable use policy which sets the limits on what is permitted for staff use of the college information systems (and an interrelated disciplinary procedure) then the email which the college principal has received should trigger this disciplinary investigation procedure.
It should be remembered that what the college is really doing is allowing individuals to use the IT facilities so long as they remain within the 'terms and conditions of acceptable use' which the college specifies. Just like any other college facility the privilege can be withdrawn if abused. Ensuring that the Acceptable Use Policy (AUP) terms and conditions are clear to all users is essential.
If these procedures are not already in place at your institution then you should take steps to get them in place as soon as possible.
It is important that the Acceptable Use Policy is enforceable otherwise the institution may be held to have treated a member of staff or a student unfairly when taking disciplinary action.
Collecting Evidence
One important question to be asked and answered, though, is how the IT manager has come across the materials in the first place. Was it by monitoring individuals? Was this done lawfully?
The outcome of such an investigation may in the extreme result in dismissal of an employee and may form the basis of a subsequent action for unfair dismissal. Such action is likely to be vigorously contested.
In that event is a risk that evidence gathered by IT staff during an investigation will be held inadmissible if it were gathered in an unlawful way. Evidence could also be discredited if presented inappropriately. The authenticity of email messages and the validity of login records are particularly likely to be challenged. Often college and university IT departments are unaware of these issues. Whilst they may receive guidance from the Police investigating a serious crime this will not be so for minor offences or for civil actions. Consequently, there is a risk that what may seem a cast iron case will founder when contested for example in an employment appeals hearing.
IT staff are increasingly likely to be called upon to investigate and gather evidence when there is an allegation of improper conduct. This has to be carried out in compliance with the Data Protection Act, the Regulation of Investigatory Powers Act and the Human Rights Act. It is essential that staff understand their responsibilities and the limits of their authority. Documented procedures, making clear what staff are authorised to do (and what they are not), must be provided.
For users every institution should have an Acceptable Use Policy (AUP). To be enforceable, the AUP must be properly incorporated into the student contract or into an employee's terms and conditions and, additionally, reasonable steps must be taken to communicate its contents and any sanctions that might be imposed.
JISC Legal has published an Overview paper on Cybercrime and it is available on the JISC Legal website at - http://www.jisclegal.ac.uk/cybercrime/cybercrime.htm.