COUNCIL
Committee on Communications
Report
to University Council
of the Findings from a
One-Year Review of the
Policy on Privacy in the
Electronic Environment
January
25, 2002
Background:
The development of an Electronic Privacy Policy for the University
was a multi-year project that began with a subcommittee appointed
in 1994-95. Under the guidance of Dr. Martin Pring (past chair,
Communications Committee) this policy was approved and the final
version was published in Almanac (September
19, 2000). Dr. Pring provided an accompanying article on "Electronic
Privacy in Practice," which interpreted aspects of the policy.
The policy deals with information created, stored or transmitted
through University Electronic Data Systems. It defines specific
circumstances under which electronic records may be reviewed and
by whom. It defines different levels of expected privacy for Faculty,
Staff and Students. The impetus for this policy was not related
to specific activities at the University but rather by a number
of instances of interception of personal employee e-mail communications
by private sector corporate employers the development of surveillance
programs that could potentially compromise the concept of academic
freedom. In addition, with the increasing use of e-mail, many
data system administrators were seeking guidance with respect
to the privacy of a user's files and messages.
Scope
of review: This
review was undertaken at the end of the first year of the policy's
approval. The review was limited to this Policy on Privacy in
the Electronic Environment. This policy has been confused with
the Policy on Acceptable Use of Electronic Resources (Adopted
7/1/97) and current activities concerning the Privacy of Personal
Information. These address very different concerns and are distinct
in scope and character from the Electronic Environment Privacy
Policy.
Methods:
The
chair of the Communications Committee contacted, by e-mail, all
of the officers having a stated role in the interpretation, enforcement
and appeal from the application of this policy. Public notices
of this review soliciting Community input were placed in the Daily
Pennsylvanian and in Almanac (two notice placements
in each). The Communications Committee meeting of November 2,
2002, was devoted to a review of this policy. David Millar (University
Information Security Officer) and Robert Terrell, Esq. (Office
of the General Council) were present at this meeting. The committee
meeting of December 14, 2002, continued discussion related to
the review.
Findings:
1)
The key offices involved with the implementation and interpretation
of this policy are Information Security and the General Council.
The Office of Audit and Compliance, the University Ombudsman,
the Division of Human Resources, and the Office of the Vice Provost
of University Life have had minimal to no involvement with this
policy during its first year. 2) In practice requests for access
are routed through the Information Security Officer. Access requests
from outside the University require a subpoena. 3) There have
been relatively few cases involving this policy. There have been
no requests to examine e-mail. Most of the requests have involved
files or logs. 4) David Millar reviewed ten cases that fell under
this policy. Two involved investigation of alleged criminal activity,
three involved suspected violation of University Regulations,
one required access in order to handle an emergency, and four
were related to the need by the University of stored information
required to conduct normal business. In several cases the owner
of the information consented to access, in others Mr. Millar denied
access based on the Electronic Privacy Policy. The Committee members
present for this review felt that the decisions were appropriate
and consistent with the guidelines. 5) Mr. Terrell noted that,
in one or two cases, anonymous e-mail from within the University
caused significant friction with the recipients of these messages
who did not understand the open nature of the University. 6) The
Policy creates a uniform standard throughout the University and
both Mr. Millar and Mr. Terrell felt that this was most helpful
to systems operators and other computer personnel. 7) The Policy
has not been widely disseminated to students, faculty and many
staff. However it is being used as part of the Information Technology
Employee Orientation (per Mr. Millar)
Conclusions:
The
Electronic Privacy Policy has been in effect since mid September
2000. The committee could find no complaints concerning its implementation.
The committee could find no significant University Community concern
about the policy. The two major administrative groups that are
involved with the implementation of this policy appear to be working
well together and have a reasonably consistent outlook. Those
involved with enforcing and interpreting the policy feel that
it is providing useful guidelines toward determining who, and
under what conditions, may have access to various electronic files
and logs. The policy has not been widely disseminated and copies
of the policy are difficult to find outside its publication in
Almanac.
Recommendations:
The
committee recommends the following: 1) The policy be continued
as is. 2) No significant revision is needed at this time. 3) Another
review should be scheduled for 2004 (2 years from this review).
4) Steps should be taken to increase its availability and visibility.
The committee has begun this process though committee member Amy
Johnson, who is working to have this policy incorporated into
the PENN BOOK, which will provide on line and printed copies
of the Policy for students. Publication in the Faculty Handbook
might also be of use and committee member, Martin Pring, has contacted
Associate Provost Barbara Lowery about such inclusion.
--David
S. Smith, Chair
2000-2001
Committee Members
Chair:
David
S. Smith (Anesth/Med); Faculty:Cristle
Collins Judd (Music); Ellis Golub (Biochem/Dental); Steven Kimbrough
(Oper & Info Mgmt); Martin Pring (Physiol/Med); Ann Rogers
(Nursing); Dana Tomlin (Landscape Arch); Graduate/professional
students: Jennifer
Baldwin (GSFA); Aveek Das (GEP); Undergraduate
students: Diana
Elkind; Mariama Jerrel; PPSA:
Valerie Sutton (Wharton); Helma Weeks (Commun/Vet sch); A-3:
Rochelle Mitchell (General Counsel's Office); Ex-officio:Lori
Doyle (Dir University Communications); Amy Johnson (Business Serv);
Paul Mosher (Vice prov & Dir Libraries); Leroy Nunery (VP
Business Serv); James O'Donnell (Vice Provost for ISC); Staff:Tram
Nguyen