COUNCIL

The following report of the University Council Committee on Communications is on the agenda for discussion at Council Wednesday, March 20.

Draft Policy on Privacy of Electronic Information

October 16, 1995

I. Policy

The University of Pennsylvania is committed to protecting the personal privacy of members of the University community. Violations of privacy can take many forms, sometimes inadvertent or well-intended. The mutual trust and freedom of thought and expression essential to a university rest on a confidence that privacy will be respected and disclosures of personal information will not be made without the informed consent of the individual. The ultimate protection of our privacy comes from a community-wide awareness of the importance of privacy in our society and the many ways it can be eroded.

Privacy of Institutional Data

Information about individual students, faculty, and staff (as well as former students, faculty, and staff) must be maintained by the University to support its mission. It is University policy that such information be collected, stored, and used only for appropriate, necessary, and clearly-defined purposes. Access to such information must be controlled and safeguarded in order to ensure privacy. The ease and flexibility, and transparency, with which electronic information can be accessed, linked and displayed can set the stage for abuse of privacy. When systems are designed, upgraded or integrated, the application steward (the primary business sponsor of the application), working together with the data steward (the individual with primary responsibility for the data) should address the issues of confidentiality and privacy, and the need for informed consent to the release of personal information. Inadequate attention to the issues of privacy of personal information will be subject to sanctions.

When personal information is solicited from a member of the University community, that person should be informed of the purpose for requesting such information, the intended use of the information, and the consequences, if any, of not supplying it. In addition, the University collects personally identifiable information about members of this community in the course of its routine operations (e.g. computer logins, building access via PennCard). Such collection should be well- publicized and University community members should be informed about the intended use of the information, safeguards against unauthorized access, and their options, if any, to prevent its collection. All information provided by or collected about University community members should, when individually identifiable, be used only for the stated purpose(s).

To the extent that it is consistent with the privacy of others, with the University's policies on confidentiality of student and employee records, and with the traditional confidentiality of faculty peer review and evaluation, an individual should be provided the means for seeing and obtaining copies of records about him or her maintained by the University, as well as for challenging the accuracy and completeness and the propriety of the use of such records.

Persons with responsibility for records containing personal information should exercise diligence to ensure accuracy and completeness. Safeguards must be provided to protect personal information against accidental or intentional misuse or improper disclosure within or outside the University. Misuse or improper disclosure of such information may lead to sanctions against the responsible individuals.

The educational records of current and former students are subject not only to the policies stated in this document but also to the University's policy on the confidentiality of student records.

When records containing personal information are no longer needed, the records should be appraised to determine whether they should be destroyed or archived with appropriate protection of privacy under the Protocols for the University Archives and Records Center.

Privacy of Personal Electronic Information

Any information created or controlled by individuals is personal (with the exception of records generated or received by administrative officers of the University relating to their official duties, which are institutional). All such information is personal not only when it is unique, but also when copies have been shared with other individuals or when it has been obtained from or copied to public or institutional data. Personal electronic information includes electronic mail, files and directories of messages and files. When this information has not been intentionally made publicly accessible it is private. The privacy of the original extends to any copies made in backing up any system on which it is stored, temporarily or permanently.

Faculty members, staff and students are afforded the same protection against the intentional invasion of the privacy of their personal electronic information stored on their own equipment or residing on or transmitted over University equipment as over the contents of an on-campus office or dormitory room. This information may not be searched without the same level of authorization as for physical searches of comparable on-campus facilities. The rights to privacy and due process must be observed.

Restrictions on access to staff members' electronic information may be less severe because such information is used in carrying out the individual's job. In the event of absences, material related to that job may be needed by others and it should be assumed that the supervisor may authorize access. This does not provide the supervisor with blanket permission to view all of the staff member's electronic information. Departments should inform their staff members which information may be accessed in their absence and the level of privacy afforded such information. In the event of suspected misconduct, care must be taken to obtain the same level of authorization to view personal electronic information as would be required for gathering tangible evidence.

Faculty or staff members or students leaving the University have the same privacy rights over personal electronic information remaining at the University as they enjoyed prior to their departure.

Exceptions In the case of court orders, subpoenas, or other requirements with the force of law, institutional data containing information about an individual or personal electronic information may be released. That individual should be notified of the request and consequent release of information as soon as possible within the constraints of the order or subpoena, and the required information should only be released by an authorized officer of the University. The Director of Internal Audit may access institutional data or personal electronic information in the course of an investigation carried out under the guidelines laid out in the Policy on Safeguarding University Assets.

The University will reject all other requests from individuals and extramural organizations-- government, professional associations, business enterprises, etc.--for the release of institutional data containing personally identifiable information, for purposes not foreseen and made clear at the time that it was collected. Requesters will be informed that release of such information is contrary to this policy. At its discretion the University may offer to the requester to seek the permission of the individuals affected for the release of the requested information and to release only that for which such permission is granted.

Awareness

The Office of the Vice Provost for Information Systems and Computing, or designate, shall work to increase the awareness of issues of electronic privacy and of measures that individuals can take to increase their privacy, and to support and coordinate the provision and use of such measures.

II. Policy Interpretations

The technology environment at the University of Pennsylvania is large, rich, and complex. Different procedures for handling electronic information including electronic mail and personal files are used at different sites across the institution. While it is not necessary that uniformity be achieved, it is desirable that there be coherence among the systems and that a minimum level of privacy be sought throughout the University. Those with access to the electronic information of others who violate the minimal privacy standard, or permit others to do so, will be subject to sanctions. In this way users can be confident that privacy will be respected as long as their communications do not leave the University. Expectations regarding these services must be made clear to all service providers.

The following guidelines for the implementation of this policy will be expanded as necessary to clarify its interpretation and requirements.

  1. Access to electronic information should not be substituted for good administrative and personnel management practices. For example, if a manager is concerned about an employee's improper use of electronic mail or electronic news groups the manager should first:

    a) Make certain that expectations and standards in this area have been made clear to the employee, and

    b) Speak directly to the employee about the issue.

  • Potential uses of personally identifiable information that were not anticipated at the time that it was collected will arise. However desirable or innocuous those uses may appear, if informed consent to release of personal information has not been sought, and therefore not given, such uses are proscribed. Community members should, however, be aware that when they consent to release of personal information in one context, that consent is assumed to extend to analogous contexts. Submission of one's home address to the University Telephone Directory, for example, could permissibly lead to its inclusion in a list of home addresses by ZIP code circulated within the University.

  • The University assigns certain individuals responsibility for maintaining computing resources. In the normal course of duties, some individuals may have special access privileges to hardware and software and therefore to the content of electronic mail and personal files. The University will strive to protect personal privacy by ensuring that the number of individuals with this level of access is limited, that they are selected for their judgment and ethics, as well as their technical expertise, and that such individuals are aware of the policies stated in this document. Such positions, and the individuals who hold them, will be governed through defined responsibilities and procedures. (See section III, "Standards for Postmasters," and section IV, "Interpretive Guidelines and Procedures for System Administrators and Computing Service Managers," below.)

  • Electronic information may pass out of one machine environment, across a network, and into another totally different machine environment while remaining within the University. Despite these complexities, protection of privacy must remain a central University goal. It is important for individuals to understand, however, that once information leaves the University and travels between universities, states and nations there can be no assurance that privacy will be respected.

  • Electronic mail may be compromised because of an individual's own difficulty in sending a message to an intended recipient. The sender may be uncertain about remote addressing; the message may not be deliverable, and a rejection message may be generated. If such rejections can be delivered to the original sender, ordinarily no other person sees the message. If, however, the message cannot be delivered to the original sender, systems can be configured to either pass the message to someone (a postmaster) for assistance or to discard the rejection without the sender knowing anything about the problem.

    Postmasters are individuals who have the specific duties of enabling undeliverable mail to reach its destination, handling other delivery problems, and answering user questions about mail travel. Users should be assured that the privacy of mail sent to postmasters is protected to the fullest extent possible consistent with the proper discharge of their job responsibilities (see III below).

  • Procedures for backing up systems may vary widely across campus. Users need to be informed about the back-up procedures in the environment in which they are working because those procedures will ultimately determine what information has been retained in the course of backing up the system and perhaps what may be accessible by others through legal means.

  • System backups should be routinely purged when no longer required.

    III. Standards for Postmasters

    Postmasters have specific responsibilities and access capabilities. Because of these access privileges, they are expected to exercise special care to protect the privacy of the individuals whose electronic communications they handle.

    Postmasters at the University of Pennsylvania shall adhere to the following standards:

    1. Respect privacy by staying informed about and following University policy regarding privacy in electronic communications.

    2. Make every effort to only use mail headers and machine-generated messages in order to return undeliverable mail, and if possible, first consult users if it seems necessary to go beyond machine-generated headers.

    3. Avoid reading message content to the greatest degree possible.

    4. Keep confidential the content of any message that was inadvertently read in the course of redirecting undeliverable mail.

    IV. Interpretive Guidelines and Procedures for System Administrators and Computing Service Managers

    System administrators at the University of Pennsylvania are responsible for taking specific actions to ensure, to the greatest degree possible, the enforcement of this policy. Since the maintenance of privacy depends on system security they should be diligent in staying informed about and implementing security-related corrections to their operating system and other system software. They should ensure that users of their systems are made aware of their privacy rights and the level of privacy they can expect, and encourage them to follow practices that optimize the security of their accounts. In particular they must maintain the level of security of mail and other information that is deliverable under conditions described in section III, "Standards for Postmasters."

    System administrators should keep confidential the content of any electronic mail message or personal file that they accidentally or necessarily see in the course of performing their duties.

    A copy of this document together with explanatory and illustrative materials should be distributed to each system administrator when he or she assumes such a position and annually thereafter. Receipt of this information should be acknowledged. Failure to maintain the standards specified in this document may result in sanctions.

    V. Attribution

    This text is based, in part, on policy statements from the Massachusetts Institute of Technology, the University of Michigan and Colby College.

    Council Committee on Communications

    Chair: James O'Donnell (classical studies)

    Co-Chair: Ira Winston (SEAS computing)

    Faculty:
    Dennis DeTurck (mathematics)
    Alan Filreis (English)
    Steven Kimbrough (operations and information management)
    Mark Liberman (linguistics)
    John Lubin (management)
    Martin Pring (physiology/medicine)
    Burton Rosan (microbiology/dental)

    Administration:
    Carol Meisenger (publications)
    Jennifer Conway (Leonard Davis Institute)

    A-3:
    Gene Haldeman (undergraduate admissions)
    Gregory Smith (Wharton)

    Students:
    Venkat Krovi (SEAS Ph.D.)
    David Shapiro (Col/Wharton '97)
    Amy Stover (Col '98)
    One graduate/professional student to be named

    Ex officio:
    Barbara Beck (news and public affairs)
    Paul Mosher (Libraries)
    Steven Murray (business services)
    Peter Patton (information systems and computing)

    Almanac

    March 19, 1996
    Volume 42 Number 24

    Return to Almanac's homepage.

    Return to the index for this issue.