Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Who is checking your email?
Who is checking your email?
What is your campus policy and procedure for access to employee email? If you don't know - or you don't have it written down - it might be time to review your practice, write it down, and vet it with the appropriate governance bodies. The issue of administration access to employee email has been peaked on campus because of a New York Times article that described a controversy brewing at Harvard University. The University had become concerned about a leak to news media regarding a student disciplinary matter that they suspected was attributable to a University administrator. According to a statement released by the University:
. . . with the approval of the Dean of Faculty of Arts & Sciences and the University General Counsel, and the support of the Dean of Harvard College, a very narrow, careful, and precise subject-line search was conducted by the University’s IT Department. It was limited to the Administrative accounts for the Resident Deans – in other words, the accounts through which their official university business is conducted, as distinct from their individual Harvard email accounts. The search did not involve a review of email content; it was limited to a search of the subject line of the email that had been inappropriately forwarded.
Of course, the reaction to the media reports about the situation (another apparent unauthorized disclosure) has led to an outcry from privacy advocates and faculty who consider the administration's actions antithetical to academic values. The episode raises a number of important legal and policy issues.
First, what is the legal standard that applies in this situation? Your campus attorney is in the best position to answer that question for your institution, but the answers are generally found in "privacy law" (often developed at the state level or according to "common law") or "contract law" (i.e., how do your employment contracts, handbooks, policies and procedures, etc., bind the institution?) Constitutional law (especially 4th amendment privacy standards) do not apply to private institutions (unless considered part of a contract) and the legal standard for "expectation of privacy" is generally low and typically trumped by policy statements or login banners that state "there shall be no expectation of privacy as a condition of access to this network, system, resource, etc."). Statements that minimize privacy expectations are typical in businesses and k-12 schools - and some institutions of higher education.
Second, we know that privacy is a deeply embedded value of higher education and, while not the same, is considered important to the "academic freedom" of faculty and students. In addition to the legal standard, institutions must also consider how it wants to express its values in the form of policy statements or practices that support communitiy expectations. That is why (sometimes despite the best wishes of legal counsel) that institutional policies go above and beyond what the law might otherwise entitle to its employees or students. Nonetheless, any policy position not premised on legal or compliance obligations must represent a "community standard" and not be based on the personal preferences or views of a few individuals.
Third, the Harvard incident brings to light the potential for differential treatment of faculty, administrators, staff, and students. While there may be academic traditions for treating faculty communications as a special case, it does not necessarily follow that staff and students place any lesser of an expectation or value upon the privacy of their communications. As this incident illustrates, there is often a fine line between the role of a faculty member and an academic administrator. Similarly, staff at many institutions take on professional roles that include classroom instruction, research, and other academic functions.
Fourth, what is your process (i.e., procedure) by which decisions are made and requests for email access administered? The authorization and approval process, including the blessings of legal counsel, are a critical part of any administrative process that might involve access to email. The technical distinctions between "header information" (including the "subject" line as in this case) and "content" is critical for both the policy and the retrieval of information. An equally important process issue - perhaps the most critical in the Harvard case - is consideration of whether or not you notify the account holder that a review of their email is being conducted according to institutional policy.
I think a key lesson learned from this incident is that if faculty and administrators are being driven to use private email addresses rather than university email for correspondence for fear of unauthorized monitoring, it may cause institutions to ask whether or not there should be comparable standards and policies to govern both situations? Inevitably, access to third-party email providers will invoke the Electronic Communications Privacy Act (ECPA) which is actively under review in the current Congress, and ECPA reform is a principle goal of the Digital Due Process Coalition to which EDUCAUSE belongs. While I am not arguing that the standards must be the same, it highlights the urgency for clarifing the rules - both for users as well as email providers. And, both for on-campus providers (i.e., universities) and third-parties.