Electronic Communications Policy Oversight Committee

Electronic Communications Policy Oversight Committee

Overview

The ECPOC was established in 2014 to address policy considerations arising in connection with the University Policy on Access to Electronic Information, and with making recommendations to the University President for improvements.

This faculty-led university-wide committee gathers input from key stakeholders to inform their review of and recommendations concerning the Policy. The Committee is focused on ensuring that appropriate systems are in place to safeguard confidentiality in electronic communications. The Committee is also a resource to provide feedback and guidance on privacy-related issues within Harvard University.

Membership

  • Chris Bavitz (HLS)
  • Tim Bowman (SEAS)
  • Ron Chandler (HBS)
  • Stephen Chong, Chair (FAS, SEAS)
  • Peter Koellner (FAS)
  • Barbara McNeil (HMS)
  • Mathias Risse (HKS)
  • Latanya Sweeney (FAS)
  • James Waldo (FAS, SEAS)

Staff

  • Brad Abruzzi (OGC)
  • Nathan Hall (HUIT)
  • Klara Jelinkova (HUIT)
  • Peggy Newell (Provost's Office)
  • Emily Vetter (Provost’s Office)

Annual Reporting Summaries

2020-2021

In addition to its normal business, the Committee is serving as a resource and providing guidance for electronic privacy-related issues for the University’s Pandemic efforts.

  • Members of ECPOC are involved in development of pandemic efforts and creation of applications to support contact tracing. 
  • The Committee assessed a Report on the Electronic Sources of Data for University Pandemic Efforts.
  • The Committee will help provide oversight for the TraceFi system if it continues beyond its initial pilot.
  • The Committee advised on storage of pandemic-relevant data collected through applications.
  • The University Policy on Access to Electronic Information and the Report of the Electronic Communications Policy provide a framework for assessment and guidance on electronic privacy issues, including issues pertaining to the University’s pandemic response efforts.

2019-2020

  • Annual review of data searches echoed trend in previous years showing that most data search requests stemmed from legal process and litigation. This shift reflects improved processes for handling the electronic data of individuals.
  • The Committee discussed the University’s Video Conferencing Policy and updated rules and best practices for the recording of classroom sessions conducted via Zoom.
  • The Committee assessed email archiving practices and proposed standards for operation.
  • The Committee discussed tactics for creating greater cultural awareness of privacy at the University. The University aspires to be at the forefront of privacy protection and has set a goal for consistency of privacy notices across all commonly used applications.

2018-2019

  • Annual review of data searches echoed last year’s trend showing that most data search requests stemmed from legal process and litigation. This shift probably reflects improved processes for handling the electronic data of individuals.
  • The Committee discussed the Syllabus Explorer project and proposed a clear opt-out option for faculty.
  • The Committee advised HUIT on possible privacy issues related to its move of University’s emergency communications to a new platform that provides greater stability and enables messaging to mobile devices.
  • The Committee reviewed actions to blacklist certain email addresses sending fraudulent emails to the community and discussed the use of third-party platforms throughout the community.

2017-2018

  • During FY 18, the committee reviewed a total of 39 searches: 31 Legal Process & Litigation; 3 Internal Investigations of Misconduct; 2 Business Continuity; 1 Safety Matters; 1 Other; and 1 System Protection, Maintenance & Management.*
  • Annual review of data searches revealed that, while the number of searches was the same as for the previous year, there was a significant increase in requests stemming from legal process and litigation, and a reduction in requests related to business continuity. This shift probably reflects improved processes for handling the electronic data of individuals leaving the University.
  • Throughout the year, the Committee met with subject-area experts at the university to discuss the Canvas System and potential implications for student privacy.
  • The Committee reviewed archive practices for faculty emails and gift agreements and made recommendations for formalized procedures in relation to them.
  • In anticipation of the GDPR data protections taking effect in 2018, the Committee reviewed how these new rules might impact the Policy.
  • John Goldberg, Eli Goldston Professor at Harvard Law School, completed his service as chair of the committee since 2014. Stephen Chong, Gordon McKay Professor of Computer Science in the Faculty of Arts and Sciences, has been appointed as his successor.

2016-2017

  • During FY 17, the committee reviewed a total of 51 searches: 32 Legal Process & Litigation; 9 Business Continuity; 6 Internal Investigations of Misconduct; 2 Safety Matters; and 2 Other.
  • Annual review of data searches in academic year 2015-16 revealed a modest increase that probably reflects better record-keeping prompted by widespread adoption of the Policy rather than an increase in actual search activity.
  • The Committee considered issues and offered recommendations concerning access to student-related data available through Canvas and the my.harvard student information system.
  • The Committee reviewed alleged security inadequacies within the list service provided by the student-run Harvard Computer Society (“HCS”). HUIT provided guidance to HCS and the organization dealt with the problem rapidly. The Committee discussed ways in which a reoccurrence of this practice could be avoided.

2015-2016

  • During FY 16, the committee reviewed a total of 51 searches: 18 Legal Process & Litigation; 16 Business Continuity; 9 Safety Matters; 5 Internal Investigations of Misconduct; 2 Other; and 1 System Protection, Maintenance & Management.
  • Annual review of data searches of user electronic information to assess, among other things, the frequency of searches, their distribution among faculty, student and staff, and the stated reasons for searches.
  • Following a bomb scare conveyed by email, the committee reviewed the process undertaken to rapidly determine credibility of the threat and to identify the sender. The Policy includes an emphasis on acting judiciously but swiftly in the case of an emergency, both to assess the need for performing electronic communication searches, and then carrying those out with the proper protocol and documentation. The Committee heard a detailed description and timeframe of HUIT’s actions and agreed that the choices were appropriate interpretations of Policy’s guidelines and recommendations, and also noted that the Policy’s protocols did not cause undue delays.
  • The Committee reviewed a draft policy on use of video cameras on campus and made suggestions for more clearly stated guidelines for the circumstances under which video camera footage could be used.
  • The Committee spent considerable time in discussion about HUIT efforts to improve information security.

2014-2015

  • During FY 15, the committee reviewed a total of 23 searches: 8 Internal Investigations of Misconduct; 8 Business Continuity; 6 Legal Process & Litigation; and 1 System Protection, Maintenance & Management.
  • The committee conducted its initial assessment of the Policy. Implementation of the Policy was found to be successful and revealed general satisfaction across the community.
  • The Committee reviewed HUIT efforts to ensure that key university personnel have been properly trained in the Policy and the limits it sets on electronic searches.
  • Review of the HILT classroom attendance study for compliance with the Policy and for issues that the study might raise beyond the scope of the Policy.
  • Consideration of the application of the Policy to the collection and search of ‘card swipe’ data, particularly data pertaining to the entrance and exit of University buildings.
  • Identification of possible privacy matters outside the scope of the Policy that may warrant the attention of other University officials or bodies, including the on-campus use of video cameras, as well as data collection through CANVAS course management software.

2013-2014

  • During FY 14, the committee reviewed a total of 32 searches: 10 Business Continuity; 9 Legal Process & Litigation; 8 Internal Investigations of Misconduct; 4 Safety Matters; and 1 System Protection, Maintenance & Management.

Definitions of Search Purposes

*Definitions of search purposes are defined in the Policy on Access to Electronic Information as follows:

Business Continuity

User electronic information may be accessed for the purpose of ensuring continuity in business operations. This need can arise, for example, if an employee who typically has access to the files in question is unavailable due to illness or vacation.

Internal Investigations of Misconduct

The University may access user electronic information in connection with investigations of misconduct by members of the University community, but only when the authorizing person, after weighing the need for access with other University values, has determined that such investigation would advance a legitimate institutional purpose and that there is a sufficient basis for seeking such access.

Legal Process and Litigation

The University may access user electronic information in connection with threatened or pending litigation, and to respond to lawful demands for information in law enforcement investigations, other government investigations, and legal processes.

Safety Matters

The University may access user electronic information to deal with exigent situations presenting threats to the safety of the campus or to the life, health, or safety of any person.

System Protection, Maintenance, and Management

University systems require ongoing maintenance and inspection to ensure that they are operating properly; to protect against threats such as attacks, malware, and viruses; and to protect the integrity and security of information. University systems also require regular management, for example, in order to implement new software or other facilities. To do this work, the University may scan or otherwise access user electronic information.