Electronic Communications Policy Oversight Committee

• There were 124 requests to access user electronic information in FY23. Some trends observed: legal cases consistently grow every year while internal investigations appear to be on the decline. This apparent decline may be attributed to a newly-adopted software introduced by the Office of the General Counsel. The aforementioned software enables automatic legal hold notices. Counsel to the committee will verify that the application of this software and subsequent reporting are in accordance with the AEI Policy.
• Committee members from the HUIT Information Security Group agreed to explore new approaches to spreading awareness of and education on the AEI policy, especially focusing on new hires.
• The committee discussed potential gaps in the process for archiving records of the abovementioned now-automated legal holds; a subset of the committee agreed to convene and verify the process.
• The Policy on Access to Electronic Information was amended and approved by the Provost on October 6, 2023. The updated Policy has been distributed to relevant parties and posted on the Provost's Office website and the ECPOC website. In addition, there is an appendix to the policy in the form of a Frequently Asked Questions (FAQ) document.

• Annual review of the FY22 Report on Access to Electronic Information demonstrated AEI requests to be in line with previous reports and mostly concentrated in preservation requests stemming from legal process and litigation.
• The Policy Amendment Working Group (PAWG), consisted of a subset of volunteers from the Committee and met regularly over the course of six months. The group analyzed the current policy and discussed potential recommendations that would more accurately reflect the current landscape of user electronic information at the University. The proposed amendment is currently in feedback rounds and will be put to vote at an upcoming Committee meeting.
• The Committee provided guidance and has agreed to increase the cadence of committee meetings to advise HUIT on potential new privacy initiatives that the University is considering instituting.

After a delay in convening due to staff turnover, the Committee has welcomed new members, and broadened its reach in include representatives from additional Schools.

• The FY20 report demonstrates that requests have remained relatively consistent over the past three years.
• The Committee discussed legalities of email privacy when a lawsuit is filed against the University.
• The Committee discussed the process for reviewing the Policy and proposing amendments. All agreed to form a working group to review the current Policy and propose amendments to the President and Provost to better account for evolving privacy concerns.
• The University Policy on Access to Electronic Information and the Report of the Electronic Communications Policy provide a framework for assessment and guidance on electronic privacy issues.

In addition to its normal business, the Committee is serving as a resource and providing guidance for electronic privacy-related issues for the University’s Pandemic efforts.

• Members of ECPOC are involved in development of pandemic efforts and creation of applications to support contact tracing. 
• The Committee assessed a Report on the Electronic Sources of Data for University Pandemic Efforts.
• The Committee will help provide oversight for the TraceFi system if it continues beyond its initial pilot.
• The Committee advised on storage of pandemic-relevant data collected through applications.
• The University Policy on Access to Electronic Information and the Report of the Electronic Communications Policy provide a framework for assessment and guidance on electronic privacy issues, including issues pertaining to the University’s pandemic response efforts.

• Annual review of data searches echoed trend in previous years showing that most data search requests stemmed from legal process and litigation. This shift reflects improved processes for handling the electronic data of individuals.
• The Committee discussed the University’s Video Conferencing Policy and updated rules and best practices for the recording of classroom sessions conducted via Zoom.
• The Committee assessed email archiving practices and proposed standards for operation.
• The Committee discussed tactics for creating greater cultural awareness of privacy at the University. The University aspires to be at the forefront of privacy protection and has set a goal for consistency of privacy notices across all commonly used applications.

• Annual review of data searches echoed last year’s trend showing that most data search requests stemmed from legal process and litigation. This shift probably reflects improved processes for handling the electronic data of individuals.
• The Committee discussed the Syllabus Explorer project and proposed a clear opt-out option for faculty.
• The Committee advised HUIT on possible privacy issues related to its move of University’s emergency communications to a new platform that provides greater stability and enables messaging to mobile devices.
• The Committee reviewed actions to blacklist certain email addresses sending fraudulent emails to the community and discussed the use of third-party platforms throughout the community.

• During FY 18, the committee reviewed a total of 39 searches: 31 Legal Process & Litigation; 3 Internal Investigations of Misconduct; 2 Business Continuity; 1 Safety Matters; 1 Other; and 1 System Protection, Maintenance & Management.*
• Annual review of data searches revealed that, while the number of searches was the same as for the previous year, there was a significant increase in requests stemming from legal process and litigation, and a reduction in requests related to business continuity. This shift probably reflects improved processes for handling the electronic data of individuals leaving the University.
• Throughout the year, the Committee met with subject-area experts at the university to discuss the Canvas System and potential implications for student privacy.
• The Committee reviewed archive practices for faculty emails and gift agreements and made recommendations for formalized procedures in relation to them.
• In anticipation of the GDPR data protections taking effect in 2018, the Committee reviewed how these new rules might impact the Policy.
• John Goldberg, Eli Goldston Professor at Harvard Law School, completed his service as chair of the committee since 2014. Stephen Chong, Gordon McKay Professor of Computer Science in the Faculty of Arts and Sciences, has been appointed as his successor.

• During FY 17, the committee reviewed a total of 51 searches: 32 Legal Process & Litigation; 9 Business Continuity; 6 Internal Investigations of Misconduct; 2 Safety Matters; and 2 Other.
• Annual review of data searches in academic year 2015-16 revealed a modest increase that probably reflects better record-keeping prompted by widespread adoption of the Policy rather than an increase in actual search activity.
• The Committee considered issues and offered recommendations concerning access to student-related data available through Canvas and the my.harvard student information system.
• The Committee reviewed alleged security inadequacies within the list service provided by the student-run Harvard Computer Society (“HCS”). HUIT provided guidance to HCS and the organization dealt with the problem rapidly. The Committee discussed ways in which a reoccurrence of this practice could be avoided.

• During FY 16, the committee reviewed a total of 51 searches: 18 Legal Process & Litigation; 16 Business Continuity; 9 Safety Matters; 5 Internal Investigations of Misconduct; 2 Other; and 1 System Protection, Maintenance & Management.
• Annual review of data searches of user electronic information to assess, among other things, the frequency of searches, their distribution among faculty, student and staff, and the stated reasons for searches.
• Following a bomb scare conveyed by email, the committee reviewed the process undertaken to rapidly determine credibility of the threat and to identify the sender. The Policy includes an emphasis on acting judiciously but swiftly in the case of an emergency, both to assess the need for performing electronic communication searches, and then carrying those out with the proper protocol and documentation. The Committee heard a detailed description and timeframe of HUIT’s actions and agreed that the choices were appropriate interpretations of Policy’s guidelines and recommendations, and also noted that the Policy’s protocols did not cause undue delays.
• The Committee reviewed a draft policy on use of video cameras on campus and made suggestions for more clearly stated guidelines for the circumstances under which video camera footage could be used.
• The Committee spent considerable time in discussion about HUIT efforts to improve information security.

• During FY 15, the committee reviewed a total of 23 searches: 8 Internal Investigations of Misconduct; 8 Business Continuity; 6 Legal Process & Litigation; and 1 System Protection, Maintenance & Management.
• The committee conducted its initial assessment of the Policy. Implementation of the Policy was found to be successful and revealed general satisfaction across the community.
• The Committee reviewed HUIT efforts to ensure that key university personnel have been properly trained in the Policy and the limits it sets on electronic searches.
• Review of the HILT classroom attendance study for compliance with the Policy and for issues that the study might raise beyond the scope of the Policy.
• Consideration of the application of the Policy to the collection and search of ‘card swipe’ data, particularly data pertaining to the entrance and exit of University buildings.
• Identification of possible privacy matters outside the scope of the Policy that may warrant the attention of other University officials or bodies, including the on-campus use of video cameras, as well as data collection through CANVAS course management software.

• During FY 14, the committee reviewed a total of 32 searches: 10 Business Continuity; 9 Legal Process & Litigation; 8 Internal Investigations of Misconduct; 4 Safety Matters; and 1 System Protection, Maintenance & Management.

Definitions of search purposes are defined in the Policy on Access to Electronic Information.