Harvard Data Privacy Policy — Too Much or Too little?
Over the last few days, I’ve had the opportunity to read through Harvard’s “Policy on Access to Electronic Information” for the first time as an undergraduate at the College. To be frank, this is one of the few privacy policies I’ve actually read through entirely, despite accepting hundreds of privacy policies all the time (e.g. Google search, Google mail, apple products, etc). The policy itself is incredibly short and readable, unlike most privacy policies that we are often presented with when using different products — think about the long privacy agreements that are required prior to the use of just about any software product. The readability of this document means that I was able to fully understand the policy in a short amount of time (An actual copy of the information can be found here: policy_on_access_to_electronic_information.).
The privacy policy itself is entirely grounded on six important principles, which are the following.
- Access should occur only for a legitimate and important University purpose.
- Access should be authorized by an appropriate and accountable person.
- In general, notice should be given when user electronic information will be or has been accessed.
- Access should be limited to the user electronic information needed to accomplish the purpose.
- Sufficient records should be kept to enable appropriate review of compliance with this policy.
- Access should be subject to ongoing, independent oversight by a committee that includes faculty representation.
Initially, I was a bit aghast at the ambiguity of words that seemingly allows the University to access information with broad power, when they see fit. For example, the third principle states that “notice should be given when user electronic information will be or has been accessed.” Notifying a user about investigating and accessing his or her data should be a key principle of the privacy agreement. However, the ambiguity of this statement already allows the University to wait for an undisclosed amount of time before they have to give notice to the user. There is no specific amount of time after the electronic information is accessed by which the university has to let the user know that the information was accessed, which is troubling, as they could technically get away without ever letting a user know on the grounds that they were planning to in the future.
Moreover, in section III of the contents under the “Notice” section, the University obfuscates the principle further by saying that “notice ordinarily should be given to the user. All reasonable efforts should be made to give notice at the time of access or as soon thereafter as reasonably possible.” What exactly is considered a “reasonable effort” and what is considered “soon thereafter?” Moreover, there is a further issue in the ambiguity of the word “ordinary.” What situation would be considered not ordinary such that no notice has to be given to the user?
These sorts of questions were some of the first that came to my mind. However, I soon realized I am judging Harvard’s privacy policy in contrast to the basis of having complete and full ownership over all of my data. In reality, this isn’t a fair comparison. The reality of the situation is a bit different for two reasons: (1) there are many tradeoffs and drawbacks that come with having full ownership over data such that I am willing to give over my data for certain benefits (such as automatic backing up of data), and (2) compared to most other corporations in the United States, Harvard provides much more protection over the privacy of student and faculty data. Compared to other universities, I don’t know where Harvard stacks up, but, based on a few quick searches, (Boston University Electronic Info Policy here), it seems like Harvard has more explicit guidelines on who can and cannot access data. As a side note, this policy itself is relatively recent; the policy was signed and put into effect on March 31, 2014. Moreover, in reality Harvard has, as a response to this policy, been able to provide a greater sense of security in that petitions to search electronic data across the University must follow through strict formal procedures which determine whether or not the search is permissible.
While the ambiguity of some of the wording in the privacy policy may be cause for concern, the current reality of the situation created by the policy is more reassuring than not and seems to be a step forward in the University’s efforts to protect its students and faculty.