< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

Responding to Compulsory Legal Requests for Information


© 2007 Andrea Nixon. The text of this article is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License (http://creativecommons.org/licenses/by-nc-nd/2.5/).

EDUCAUSE Review, vol. 42, no. 2 (March/April 2007): 70–71

Andrea Nixon is Special Project Manager/IT Strategist at Carleton College. Comments on this article can be sent to the author at anixon@carleton.edu and/or can be posted to the Web via the link at the bottom of this page.

Colleges and universities house servers, desktop computers, and data networks that store and transport a diverse array of data. With the stewardship of these services comes the responsibility to respond to compulsory legal requests1 for information housed on and transmitted by these systems. Regular coverage by the press of data breaches, combined with shifts in the interpretation of the Communications Assistance for Law Enforcement Act (CALEA) of 1994, is contributing today to an environment in which institutional leaders are reconsidering institutional policies and procedures for handling such requests.

Legal Requests and Accompanying Issues

The members of the EDUCAUSE/Internet2 Computer and Network Security Task Force's Policies and Legal Issues Working Group has assembled "Protocol for Law Enforcement Requests: Guidelines for Responding to Compulsory Legal Requests for Information."2 This resource provides concise explanations of compulsory legal requests, identifies common issues that may surround those requests, and offers a list of quality information sources for further information.

There are a number of types of compulsory legal requests: subpoenas, search warrants, court orders, and national security letters. Requests differ in the amount of time an institution is given to respond. Subpoenas may allow time to prepare materials, whereas warrants may require immediate responses. The issuing parties of compulsory legal requests vary based on the type of legal or administrative proceedings involved. Additionally, public colleges and universities are also subject to public records or freedom of information statutes and thus may need to make records available on request.

Once requests come in, it is important that they be carefully reviewed for appropriate jurisdiction and that formalities be properly observed. Formalities include official signatures, designated delivery methods, credentialed delivery people, and service to an appropriate recipient. In contrast to other compulsory legal requests, public records requests may be much less formal in nature, and an anonymous oral response may be sufficient. Just as institutional representatives should be sensitive to the various types of information requests, the nature of the information requested should have some bearing on the disclosure process.

The data that are housed on servers and desktop computers or that traverse institutional networks are diverse in nature. In some ways it is easiest to account for data stored on centralized, institutionally owned servers or for data that are associated with the business of an institution. In a number of cases, federal laws provide a degree of guidance for handling certain classes of information. The disclosure of student educational records is governed by the Family Educational Rights and Privacy Act (FERPA) of 1974. Protocols for the disclosure of electronic communications are established in the Electronic Communications Privacy Act (ECPA) of 1986. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 governs processes for the disclosure of medical records.

Careful consideration is also warranted for protected research data. For example, in the United States, some federal agencies have the latitude to issue certificates of confidentiality that are intended to protect the privacy of research study participants. Researchers may apply to the National Institutes of Health for certificates of confidentiality when they collect sensitive biomedical, behavioral, or clinical data. In fact, the application process for a certificate of confidentiality requires that the principle investigator and an institutional representative sign a statement ensuring that the institution will use the certificate of confidentiality "to protect against the compelled disclosure of personally identifiable information and to support and defend the authority of the Certificate against legal challenges."3 Once a certificate of confidentiality is awarded, decisions concerning the disclosure of protected data are in the hands of the primary investigator associated with a given research project. Certificates of confidentiality are just one example of protected research data and are illustrative of the importance of inventorying protected data on campus.

Policy and Decision-Making Issues

In spite of the complexity involved in receiving and assessing requests, institutional leaders should consider having a single point of contact for all compulsory legal requests.4 An appropriate single point of contact increases the likelihood that all requests for information will be handled consistently and appropriately. A single point of contact also necessitates the careful coordination of efforts, as well as preparatory work.

Cornell University has documented its approach to handling legal requests by having in-house counsel serve as the primary contact for compulsory legal requests.5 Other institutions without legal counsel on staff might consider a senior administrator who has ready access to out-of-house counsel and is well versed in institutional policy and decision-making structures.

Given the limitations of any single point of contact, it is important for an institution to articulate

  • the nature and kinds of records and information that are maintained on campus and that are likely to be requested;
  • the nature and structure of the institution's recordkeeping systems, including but not limited to its IT systems; and
  • the institution's record retention policies and other institutional policies and state and federal laws that govern the maintenance and disclosure of records and other information.6

The process of pulling this information together will require coordination among the offices and individuals who own the data, systems, and networks involved. A minimal list of relevant offices should include those with responsibilities for records on students, employees, campus security, research, purchasing, and accounts, as well as offices providing IT services within the institution. Institutions with research compliance committees may want to work with them in identifying projects that include protected research.


One important step in ensuring consistent institutional responses to requests for information is to establish a single point of contact to receive compulsory legal requests. Given the variety of these requests, as well as the diversity of protocols dictated by data type, coordinated efforts will be required to assess the nature and kinds of records on hand. Information is the lifeblood of the academy. Stewards of data and of the infrastructure through which they are transmitted thus need to think very carefully about how best to take efficient, responsible, and informed action in response to compulsory legal requests for information.


1. For the purposes of this article, "compulsory legal requests" refers to requests associated with law enforcement investigations, civil litigation, or public records requests.

2. Steven McDonald and Andrea Nixon, "Protocol for Law Enforcement Requests: Guidelines for Responding to Compulsory Legal Requests for Information," December 2006, https://wiki.internet2.edu/confluence/display/secguide/Protocol+for+Law+Enforcement+Requests.

3. National Institutes of Health, Office of Extramural Research, "Detailed Application Instructions for Certificate of Confidentiality: Extramural Research Projects," March 15, 2002, http://grants.nih.gov/grants/policy/coc/appl_extramural.htm.

4. McDonald and Nixon, "Protocol for Law Enforcement Requests."

5. Cornell University, "IT Policy Flow Chart: Requests from Law Enforcement," June 20, 2006, http://www.cit.cornell.edu/oit/policy/calea/CALEA_Compliance.ppt.

6. McDonald and Nixon, "Protocol for Law Enforcement Requests."

Andrea Lisa Nixon

Andrea Nixon is the Director of Curricular and Research Support for Carleton College and has worked in the academic computing field for over 20 years. During that time she has worked with faculty, students, librarians and instructional technologists on the effective integration of information technologies into the curriculum of residential liberal arts colleges. She wrote of her experiences in a 1999 article for CAUSE/EFFECT titled 'Discipline-Focused Technology Support Fosters Curriculum Innovation.' Andrea has served on a variety of EDUCAUSE committees including the Security Task Force - Policies and Legal Issues Working Group, is a former chair of the Advisory Committee on Teaching and Learning, and is co-director of the Learning Technologies Leadership Institute.

Andrea received her Ph.D. from the Department of Educational Policy and Administration at the University of Minnesota. Andrea's research has included both policy analysis and educational research. Her dissertation research examined the role of institutional copyright policy on the development of curricular materials for online instruction. Her most recent collaborative research project is titled "Curricular Uses of Visual Materials: A Mixed-Method Institutional Study." The central research question of this study was: Are the sources of support that the College provides well suited to the work demanded of students and faculty as they make curricular use of visual materials? Her current research includes the Student Engagement with Academic Support (SEAS) longitudinal study that examines student behaviors as they work on course assignments.


Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on learning environments, top 10 IT issues, and adaptive learning. Share your work and ideas with EDUCAUSE Review.

E-mail us >