Harvard Releases Barron Report on Access to Electronic Communications
A Harvard task force assigned by President Drew Faust to develop a University policy governing electronic communications released its recommendations today. The work began in March 2013, following a controversy about decisions by University administrators to access information in e-mail subject lines during an Administrative Board disciplinary proceeding; some particulars of that proceeding—which concerned a massive case of student academic dishonesty—had leaked, prompting concerns over student privacy, which is protected by law. The subsequent events, in which a senior administrator authorized multiple searches that led information-technology personnel to access as many as 17,000 Harvard e-mail accounts in order to find the leak, revealed that Harvard had, as Faust put it, “highly inadequate” policies and processes in place for treating electronic communications properly.
The task force, chaired by David Barron, Green professor of public law at Harvard Law School, has recommended the adoption of a single, comprehensive, University-wide policy that would “apply across all components, faculties and schools.” Although responsive to the events of last year (which were analyzed in detail by attorney Michael B. Keating, LL.B. ’65, at Faust’s request), the work of the task force, including a report explaining its recommendations and a draft of the policy (on which comment is invited through March 10), was meant to be forward-looking, aiming to “honor the University’s commitment to academic freedom and free inquiry while being sensitive to the University’s administrative and operational needs.”
The task force members laid out a series of principles to which any search should adhere, and then formulated specific proposals intended to achieve those aims. The principles they consider key to any decision to authorize access to electronic records include accountability and transparency; adherence to advance guidance about when such authorization is legitimate; narrowness of scope, with checks against unwanted intrusions; and oversight by a committee that includes faculty members. Codifying these principles, the task force recommends:
- Limited justifications for access: “Access to electronic information should be permitted only for a legitimate and important University purpose, as informed by the illustrative list of the limited purposes that have historically justified such access” (see below).
- High-level, accountable authorization: “In general, access to electronic information for reasons other than systems maintenance and protection should be undertaken by information-technology personnel only when specifically authorized by the head of the School or component of the University making the request, such as a dean of a faculty.”
- Notice to users: “There should be a strong presumption that users should receive timely notice in any case in which access to their electronic information has been authorized.”
- Minimization rules and protocols: “Access to electronic information, if authorized, should be undertaken in a narrow manner and pursuant to minimization rules and protocols that information-technology components have codified in advance.”
- Record-keeping: “Written records of decisions to access electronic information should be prepared in a manner that permits subsequent review of such decisions.”
- Independent oversight committee: “Decisions to authorize access to electronic information should be subject to periodic review by an oversight committee that includes faculty in order to ensure an independent set of “eyes” also lends its perspective on any such decisions and on possible policy or process changes.
Framing the recommendations as responsive to the needs of the University, which maintains the information-technology infrastructure that might be accessed, rather than focusing on the status of users of IT infrastructure (whether students, faculty, or administrators; in the 2012 imbroglio, it appeared that different rules might govern searches of faculty e-mails and staff e-mails, for example) allows the formulation of a universally applicable policy. Thus in outlining the kinds of legitimate access the University has exercised in the past five years, the report cites as one example “business continuity”: the need, perhaps, to access important “financial information on the computer account of an individual who is not available.” (Barron drew an analogy to paper files when he explained this principle at a Faculty of Arts and Sciences meeting earlier this year: in an urgent situation, he said, if an employee whose file cabinet contains important documents relating to University business is unavailable, someone acting on the University’s behalf may legitimately enter that locked office and obtain the necessary papers. Legally, he said, electronic access is no different.) Academic misconduct investigations, the report states, are another legitimate reason for accessing electronic communications, as are legal processes external to the University (such as a court-issued subpoena). The report adds that there were fewer than 10 other types of instances in which access was granted during the past five years, most relating to staff misconduct (concerning, for example, missing property).
The report notes that there has been a shift in the capacity of institutions to access individuals’ information as more and more people communicate and store data electronically. “In light of this reality,” it states, “‘privacy’ does not exist in precisely the same way it once did. In the past, writing, conversing, and communicating did not inevitably and routinely entail that the contents of those communications or even related data might be available to anyone beyond intended recipients. Now it does. Thus, today, those who use University systems and devices often communicate in writing in a way that is extremely convenient but that unavoidably gives the University the potential capacity to access that information.”
This “shift in practice,” the task force declares, “does not mean access should always be permissible. In determining the appropriate rules for permitting access to this information, we must look beyond the fact that the University owns, provides, and/or administers the information systems and devices. Rather, the increased capacity for access heightens the need for policies and protocols that structure and constrain decisions about when and how such access may occur.”