E-mail Search Protocols Update
In the wake of revelations last spring that resident deans’ e-mail accounts had been searched on three occasions in September 2012, during an Administrative Board investigation of undergraduate academic misconduct, President Drew Faust appointed a task force under Green professor of public law David Barron to establish University policies and procedures for the privacy of electronic communications. In the wake of an external review of the 2012 e-mail searches by attorney Michael B. Keating, LL.B. ’65—commissioned by Faust at the same time, and released to the community following Corporation discussion in late July—Faust announced that the shortcomings of policy and details of execution detailed there required the promulgation of “interim protocols governing any searches of e-mails at the University” before Barron’s group reports later this year.
A presidential memorandum to the deans of the faculties, dated August 22, creates those “interim protocols on electronic communications” and advises that Faust expects the Barron task force, now at work, to “recommend how we might improve and clarify our policies regarding access to and confidentiality in electronic communications” sometime “this winter.” The interim protocols, she notes, “clarify and build on our existing policies and procedures,” with the aim of “ensuring we have appropriate systems in place to record and review any searches that may occur” during this period and to “enable any such searches to be undertaken only with appropriate respect for the sensitivities involved.” (Until the task force reports, of course, the community at large does not know how often or how extensively the University is obliged to search electronic communications in connection with, say, federal government reviews of possible misuse of research funds or legal investigations of academic misconduct; those nitty-gritty details, along with what Faust describes as “the more comprehensive approach that is needed,” await the task-force report.)
The initial protocol states:
Any search should occur only after careful institutional consideration and in response to legitimate institutional interests. Each school or central administrative unit should ensure that any search is subject to an approval process that accords with the University’s values and that fully satisfies the other requirements set forth below.
The memorandum then enumerates steps that a dean must follow within this very broad, general guidance, including:
- Any search of electronic information should be done by or with the involvement of either University or school CIO [chief information officer].
- The University CIO and school CIOs are accountable for ensuring that any search is conducted narrowly and that all data accessed is safeguarded.
- An authorization to conduct one search is not considered authorization to conduct additional searches. Any search must be independently approved.
- The OGC [Office of the General Counsel], HUIT [Harvard University Information Technology], and the school CIOs will ensure that records are kept of any searches. The records must include a description of why the search was initiated, who authorized the search, and how the search was conducted. The University CIO will be responsible for consolidating and maintaining these records.
- During this interim period, HUIT and the OGC will meet regularly with the school CIOs to review any records and to clarify appropriate practices as needed.
These bare-bones procedures appear to respond to shortcomings in the authorization of the second and third searches of a resident dean’s e-mail accounts last September, documentation of such authorizations, recordkeeping regarding the searches, and other concerns discovered in the course of the University’s and Keating’s fact-finding.
Faust refers deans who seek further guidance to vice president Anne Margulies, Harvard’s CIO; vice president for strategy and programs Leah Rosovsky; and vice president and general counsel Robert Iuliano.