A Harvard task force assigned by President Drew Faust to develop a University policy governing electronic communications released its recommendations in late February. Its work began in March 2013, following a controversy sparked by University administrators’ decisions to access information about e-mails during an Administrative Board investigation into undergraduate academic misconduct (see “E-mail Imbroglio,” May-June 2013, page 46). After disclosures that a senior administrator had authorized multiple searches that led information-technology personnel to access as many as 17,000 Harvard e-mail accounts to find a purported leak, Faust said the University had “highly inadequate” policies and processes in place for treating electronic communications properly.
The task force, chaired by David J. Barron, Green professor of public law, has recommended adoption of a single, comprehensive, University policy applicable “across all components, faculties and schools.” The task-force report and draft recommendations were meant, it said, to “honor the University’s commitment to academic freedom and free inquiry while being sensitive to the University’s administrative and operational needs.” Accordingly, it said any search of electronic records should be governed by principles codified in these recommendations:
- Limited justifications for access: “Access to electronic information should be permitted only for a legitimate and important University purpose, as informed by the illustrative list of the limited purposes that have historically justified such access.”
- High-level, accountable authorization: “In general, access to electronic information for reasons other than systems maintenance and protection should be undertaken by information-technology personnel only when specifically authorized by the head of the school or component of the University making the request, such as a dean of a faculty.”
- Notice to users: “There should be a strong presumption that users should receive timely notice in any case in which access to their electronic information has been authorized.”
- Minimization: “Access to electronic information, if authorized, should be undertaken in a narrow manner and pursuant to minimization rules and protocols that information-technology components have codified in advance.”
- Record-keeping: “Written records of decisions to access electronic information should be prepared in a manner that permits subsequent review of such decisions.”
- Independent oversight: “Decisions to authorize access to electronic information should be subject to periodic review by an oversight committee that includes faculty in order to ensure an independent set of ‘eyes’ also lends its perspective on any such decisions and on possible policy or process changes.”
In outlining the kinds of legitimate access the University has exercised in the past five years, the report cites as one example “business continuity”: the need, perhaps, to access important “financial information on the computer account of an individual who is not available.” Academic-misconduct investigations, the report states, are another legitimate reason for accessing electronic communications, as are legal processes external to the University (such as a court-issued subpoena).
The report notes that there has been a shift in the capacity of institutions to access individuals’ information as more people communicate and store data electronically. “In light of this reality,” it states, “‘privacy’ does not exist in precisely the same way it once did. In the past, writing, conversing, and communicating did not inevitably and routinely entail that the contents of those communications or even related data might be available to anyone beyond intended recipients. Now it does. Thus, today, those who use University systems and devices often communicate in writing in a way that is extremely convenient but that unavoidably gives the University the potential capacity to access that information.”
This “shift in practice,” the task force declares, “does not mean access should always be permissible. In determining the appropriate rules for permitting access to this information, we must look beyond the fact that the University owns, provides, and/or administers the information systems and devices. Rather, the increased capacity for access heightens the need for policies and protocols that structure and constrain decisions about when and how such access may occur.”
The policies, or some modified version, are likely to be formally adopted following a public comment period. For a complete report, see http://harvardmagazine.com/2014/02/electronic-communications-policy.