We know too much now to keep making the same mistake of implementing technologies without doing a full legal, policy and risk assessment review first. Or do we?
Body cameras on institutional law enforcement have become all the rage nationally. Already, as citizens, we have a disturbing view. The deaths of a number of people stopped for minor traffic violations have revealed a terrible underbelly of prejudice and incivility, fear and inexperience on both sides but of course with the power of the state making the encounter unfair from the start. Before the comments start piling up below, please note: I am not talking about cases that involve investigations of serious criminal activity. I am referring to those encounters where there is no or little cause for suspicion that escalates to tragic, lethal encounters.
Higher education is not an exception in this landscape. Sometimes cities within cities, universities and colleges require law enforcement just as they require physical power plants, facility, food and service management. (To wit, see EDUCAUSE’S HEISC page on Physical and Environment Security.) The “Internet of Things” weaves information technology into this scope. Information privacy and security, which by definition include a physical component, closes the law, policy and technology loop.
Have we learned from the past or are we repeating it? With CIOs often the last to learn of a technology implementation on their campus, it would appear that many colleges and university law enforcement units have outfitted officers with body cams without checking in with legal counsel, risk management, constituent stakeholder groups or technology officers on their campus. Therein lies a mistake rich with inefficiencies and ripe for liabilities. So let’s rewind and take it from the top. What would be the best steps to a more efficient and effective implementation of this new technology on campus?
First, IT should be involved from the start. There are many reasons for this statement, including the obvious: it is a technology, it involves information privacy and security, and technology officers are the key stakeholder even if they are not the procuring unit or data steward. A clear business reason supports the obvious. Technology officers are likely to be the most informed person on campus about how to assess technological offers regarding quality of devices, transmission and storage of the information, price points and cost, especially in a cloud environment. Finally, because technology officers already or increasingly have been on the learning curve for cloud services, they already should be practiced in the new procurement process. That process involves legal counsel, information management, finance and communications from the start, in a synchronous process such that if one piece moves the other components can either push back or move with it. Procurement does not get bogged down in a linear process befitting on premises services but which the cloud has rendered inefficient.
Some examples might help. Unpracticed in procuring cloud storage services, a campus police chief might be easily persuaded by vendor sales people to buy expensive devices and very pricey storage. A savvy CIO knows that the cost of both devices and especially storage has been dropping precipitously, and perhaps already has a contract with a vendor that can accommodate even the robust storage needs of body cam content. Relations between law enforcement (or any other unit) should not be a competition but a collaboration that ultimately favors the institution. A CIO is a fabulous resource in this instance.
Once the price point is established, let’s move onto contract formation. If technology officers have learned anything about cloud computing it should be that the contract formation process is the key means by which the institution maintains compliance and enhances its risk management. Will these body cams be used for interactions with students? Of course, so one’s thoughts should go immediately to the Family Education Rights Privacy Act (FERPA). The video is, after all, a personally identifiable record maintained by the institution. (The Department of Education has made it clear that cloud services do not absolve the institution of this responsibility under the law.) The contract better establish that the vendor acts as a school official under FERPA and with the specific language that the best institutional attorneys have applied to model contracts, such as the Net+ Service with Box.
Next, where does the law stand on this data? Is it subject to open record laws in state institutions? If so, does your open record law have a security exception into which this material fits? What if external law enforcement turns up with a subpoena or warrant? Do the campus police know to go immediately to legal, not pass GO or collect $200 on the way? The content of these videos is potentially volcanic in its possible repercussions and constituent privacy expectations. Make sure everyone who is involved in the interactions, from the police officer to the desk clerk, knows the legal protocols from the start.
In terms of institutional policy, who is the data steward? Law enforcement? My guess is that at schools that have established a data stewardship schedule few have given law enforcement this role. Most likely, it falls under the purview of another office. Do body cam videos shift the calculus? For example, if law enforcement falls under Administrative Services and an Executive Vice President, then is that steward prepared to take on the responsibilities for the information security and privacy of this data? Will this technological development put in question the schedule such that the Chief of Campus Police gets elevated to a position of data stewardship? These are the kinds of questions that must be asked and answered before implementing the technology, not afterwards in the face of an embarrassing public incident.
What are examples of embarrassing public incidents? Here are a few. With no one in charge of the privacy practices around that data, meaning under what circumstances and with whose permissions the data is released, what if one of the custodians of a particularly awful, or zany – choose your pick – video is released to a journalist? Or what if it is a video of someone who is famous, or whose parents are famous, comes to light? Sons and daughters of politicians have long been known to live it up … or goof up really big (does the Kennedy name ring a bell?). How much would the National Inquirer be willing to pay a clerk with their custodian finger on the authorization to access and transmit the footage of the encounter of such a person with campus law enforcement at 3 in the morning after a long night out? Or a rival politician who is relishes the opportunity to expose his or her rival? Or how about governmental agencies whose officers show up without a warrant? To be sure, those temptations are always out there, but they are much less likely when the roles of stewards and custodians are baked into the disclosure process.
Chain of custody questions present another challenge. What if there is a serious event recorded that involves the death or serious injury of either or both the officer and a student. Very likely, that footage will be used in both criminal and civil court, especially if there are different versions of what took place. Chain of custody of such evidence is well baked in federal and state rules of evidence. But how do they apply to video footage in a cloud environment? Better get those protocols nailed down in advance. No one would want to be on the witness stand having to answer cross-examination in a way that makes personnel look naïve or the institution inadequate. No one would want to be responsible for either a criminal going free or a rogue police offer allowed back on the force for the failure to properly secure evidence.
Honoring the culture and tradition of our institutions is just as important as compliance. In that vein, no one would want to break the first rule of coaching up: surprising your boss. If the campus police make a decision to equip his or her force with body cams only to have the president or chancellor learn about it in a media blitz over an embarrassing incident, that can’t be good for anyone, including CIOs. The last to know might also be the first to go, even if the CIO had been outside the process, if a leader gets a bee in their bonnet and simply points fingers at “technology” without asking internal process questions. Faculty, staff and students, moreover, might expect to be asked for opinions about this initiative and want to probe the privacy and security components. As members of the community, they should have that opportunity. Thus vetting the matter before the community becomes a communications challenge. Media and communications offices should be a part of that process. Does your campus already have a surveillance policy? Body cams could and should be brought within that scope, especially since the meat of most of those policies is about notice. If your campus does not have such a policy, body cams present cause to create.
Finally, just as the Internet has become a canvas upon which the portrait of human nature is revealed, body cams expose human interactions at some of its most stressed moments. At the expense of my own embarrassment, I have written about this kind of circumstance with the hope that it would shine light on improving current circumstances. Super train law enforcement on de-escalation techniques in every circumstance with scenarios taken from experience (inebriated students; people at risk, etc.). Invest in training if there would appear to be a need for it on your campus. I, for one, want higher education to be leaders in making all law enforcement models of public safety.