Electronic Communications Policy Oversight Committee
The ECPOC was established in 2014 to address policy considerations arising in connection with the University Policy on Access to Electronic Information, and with making recommendations to the University President for improvements.
This faculty-led university-wide committee gathers input from key stakeholders to inform their review of and recommendations concerning the Policy. The Committee is focused on ensuring that appropriate systems are in place to safeguard confidentiality in electronic communications. The Committee is also a resource to provide feedback and guidance on privacy-related issues within Harvard University.
- Christopher Bavitz (HLS)
- Stephen Chong, Chair (FAS, SEAS)
- Shirley Greene (DCE)
- Gabe Handel (HBS)
- Peter Koellner (FAS)
- Dan McKanan (HDS)
- Barbara McNeil (HMS)
- Jukka-Pekka Onnela (HSPH)
- Mathias Risse (HKS)
- Latanya Sweeney (FAS)
- James Waldo (SEAS, HKS)
- Brad Abruzzi (OGC)
- Courtney Ackerman (Provost’s Office)
- Klara Jelinkova (HUIT)
- Peggy Newell (Provost's Office)
- Michael Tran Duff (HUIT)
Annual Reporting Summaries
After a delay in convening due to staff turnover, the Committee has welcomed new members, and broadened its reach in include representatives from additional Schools.
- The FY20 report demonstrates that requests have remained relatively consistent over the past three years.
- The Committee discussed legalities of email privacy when a lawsuit is filed against the University.
- The Committee discussed the process for reviewing the Policy and proposing amendments. All agreed to form a working group to review the current Policy and propose amendments to the President and Provost to better account for evolving privacy concerns.
- The University Policy on Access to Electronic Information and the Report of the Electronic Communications Policy provide a framework for assessment and guidance on electronic privacy issues.
In addition to its normal business, the Committee is serving as a resource and providing guidance for electronic privacy-related issues for the University’s Pandemic efforts.
- Members of ECPOC are involved in development of pandemic efforts and creation of applications to support contact tracing.
- The Committee assessed a Report on the Electronic Sources of Data for University Pandemic Efforts.
- The Committee will help provide oversight for the TraceFi system if it continues beyond its initial pilot.
- The Committee advised on storage of pandemic-relevant data collected through applications.
- The University Policy on Access to Electronic Information and the Report of the Electronic Communications Policy provide a framework for assessment and guidance on electronic privacy issues, including issues pertaining to the University’s pandemic response efforts.
- Annual review of data searches echoed trend in previous years showing that most data search requests stemmed from legal process and litigation. This shift reflects improved processes for handling the electronic data of individuals.
- The Committee discussed the University’s Video Conferencing Policy and updated rules and best practices for the recording of classroom sessions conducted via Zoom.
- The Committee assessed email archiving practices and proposed standards for operation.
- The Committee discussed tactics for creating greater cultural awareness of privacy at the University. The University aspires to be at the forefront of privacy protection and has set a goal for consistency of privacy notices across all commonly used applications.
- Annual review of data searches echoed last year’s trend showing that most data search requests stemmed from legal process and litigation. This shift probably reflects improved processes for handling the electronic data of individuals.
- The Committee discussed the Syllabus Explorer project and proposed a clear opt-out option for faculty.
- The Committee advised HUIT on possible privacy issues related to its move of University’s emergency communications to a new platform that provides greater stability and enables messaging to mobile devices.
- The Committee reviewed actions to blacklist certain email addresses sending fraudulent emails to the community and discussed the use of third-party platforms throughout the community.
- During FY 18, the committee reviewed a total of 39 searches: 31 Legal Process & Litigation; 3 Internal Investigations of Misconduct; 2 Business Continuity; 1 Safety Matters; 1 Other; and 1 System Protection, Maintenance & Management.*
- Annual review of data searches revealed that, while the number of searches was the same as for the previous year, there was a significant increase in requests stemming from legal process and litigation, and a reduction in requests related to business continuity. This shift probably reflects improved processes for handling the electronic data of individuals leaving the University.
- Throughout the year, the Committee met with subject-area experts at the university to discuss the Canvas System and potential implications for student privacy.
- The Committee reviewed archive practices for faculty emails and gift agreements and made recommendations for formalized procedures in relation to them.
- In anticipation of the GDPR data protections taking effect in 2018, the Committee reviewed how these new rules might impact the Policy.
- John Goldberg, Eli Goldston Professor at Harvard Law School, completed his service as chair of the committee since 2014. Stephen Chong, Gordon McKay Professor of Computer Science in the Faculty of Arts and Sciences, has been appointed as his successor.
- During FY 17, the committee reviewed a total of 51 searches: 32 Legal Process & Litigation; 9 Business Continuity; 6 Internal Investigations of Misconduct; 2 Safety Matters; and 2 Other.
- Annual review of data searches in academic year 2015-16 revealed a modest increase that probably reflects better record-keeping prompted by widespread adoption of the Policy rather than an increase in actual search activity.
- The Committee considered issues and offered recommendations concerning access to student-related data available through Canvas and the my.harvard student information system.
- The Committee reviewed alleged security inadequacies within the list service provided by the student-run Harvard Computer Society (“HCS”). HUIT provided guidance to HCS and the organization dealt with the problem rapidly. The Committee discussed ways in which a reoccurrence of this practice could be avoided.
- During FY 16, the committee reviewed a total of 51 searches: 18 Legal Process & Litigation; 16 Business Continuity; 9 Safety Matters; 5 Internal Investigations of Misconduct; 2 Other; and 1 System Protection, Maintenance & Management.
- Annual review of data searches of user electronic information to assess, among other things, the frequency of searches, their distribution among faculty, student and staff, and the stated reasons for searches.
- Following a bomb scare conveyed by email, the committee reviewed the process undertaken to rapidly determine credibility of the threat and to identify the sender. The Policy includes an emphasis on acting judiciously but swiftly in the case of an emergency, both to assess the need for performing electronic communication searches, and then carrying those out with the proper protocol and documentation. The Committee heard a detailed description and timeframe of HUIT’s actions and agreed that the choices were appropriate interpretations of Policy’s guidelines and recommendations, and also noted that the Policy’s protocols did not cause undue delays.
- The Committee reviewed a draft policy on use of video cameras on campus and made suggestions for more clearly stated guidelines for the circumstances under which video camera footage could be used.
- The Committee spent considerable time in discussion about HUIT efforts to improve information security.
- During FY 15, the committee reviewed a total of 23 searches: 8 Internal Investigations of Misconduct; 8 Business Continuity; 6 Legal Process & Litigation; and 1 System Protection, Maintenance & Management.
- The committee conducted its initial assessment of the Policy. Implementation of the Policy was found to be successful and revealed general satisfaction across the community.
- The Committee reviewed HUIT efforts to ensure that key university personnel have been properly trained in the Policy and the limits it sets on electronic searches.
- Review of the HILT classroom attendance study for compliance with the Policy and for issues that the study might raise beyond the scope of the Policy.
- Consideration of the application of the Policy to the collection and search of ‘card swipe’ data, particularly data pertaining to the entrance and exit of University buildings.
- Identification of possible privacy matters outside the scope of the Policy that may warrant the attention of other University officials or bodies, including the on-campus use of video cameras, as well as data collection through CANVAS course management software.
- During FY 14, the committee reviewed a total of 32 searches: 10 Business Continuity; 9 Legal Process & Litigation; 8 Internal Investigations of Misconduct; 4 Safety Matters; and 1 System Protection, Maintenance & Management.
Definitions of Search Purposes
*Definitions of search purposes are defined in the Policy on Access to Electronic Information as follows:
User electronic information may be accessed for the purpose of ensuring continuity in business operations. This need can arise, for example, if an employee who typically has access to the files in question is unavailable due to illness or vacation.
Internal Investigations of Misconduct
The University may access user electronic information in connection with investigations of misconduct by members of the University community, but only when the authorizing person, after weighing the need for access with other University values, has determined that such investigation would advance a legitimate institutional purpose and that there is a sufficient basis for seeking such access.
Legal Process and Litigation
The University may access user electronic information in connection with threatened or pending litigation, and to respond to lawful demands for information in law enforcement investigations, other government investigations, and legal processes.
The University may access user electronic information to deal with exigent situations presenting threats to the safety of the campus or to the life, health, or safety of any person.
System Protection, Maintenance, and Management
University systems require ongoing maintenance and inspection to ensure that they are operating properly; to protect against threats such as attacks, malware, and viruses; and to protect the integrity and security of information. University systems also require regular management, for example, in order to implement new software or other facilities. To do this work, the University may scan or otherwise access user electronic information.