The combination of a historian at the center of a Freedom of Information Act request stemming from political contretemps and a former Cornelian in the limelight of the struggle over academic freedom lacing through an information technologies issue is an irresistible topic for this blog: Law, Policy and IT? Below I have set out the foundations of this discussion. In the next blog I will apply these foundations to the Cronon case specifically.
The Freedom of Information Act (FOIA) derives from the Johnson Administration era should immediately conjure up associations to civil rights and anti-Vietnam war protest, J. Edgar Hoover and his vast illegal surveillance campaigns, and the demand the citizenry made for greater transparency in government. Although Congress passed the original FOIA, all fifty states followed suit and passed state versions, not all of which either in statute or case law provide the same degree of access by definition or come to even similar conclusions when balancing this law against other countervailing privacy rights (think FERPA) or interests (think executive privileges or state security.)
Given those differences, and the reality of time and tide, while a state may handle many requests routinely, novel challenges emerge. The Cronon case is an example. Should the records of a faculty member fall within FOIA’s scope? Examples of state university executives exist already; the case of the erstwhile president of University of Tennessee is the most notable example. Tipped off that the president was allegedly having an affair with a member of his staff, journalists thought that they could use FOIA to find out. This case is not the first time that such a request was made for a faculty member, although the profile of this one is probably higher than any one before it. And so these circumstances set us to asking more probing questions, such as what should the institution’s policy be? Should the institution fight the request on the grounds of academic freedom, a legal concept that is available to institutions to raise as a defense, or, as a state entity, should it comply in the spirit of transparency that inspired the law? Before proceeding further down that road, let’s get some basic thoughts on the table.
Email, like its parent category of information technology, is like the girl with the curl on her forehead: when it’s good, it’s very good, and when it’s bad it’s horrid. In its relatively short life, let’s say in the ballpark of forty years, it has undoubtedly enhanced communications and increased productivity. It has also been the ruin of many reputations, careers and relationships. The old adage about the New York Times when it occurs in real time has played havoc in some people’s lives from executives in and outside of higher education, in civil and criminal cases across the country, and most notably these days in the vast majority of contested divorce cases tried in the United States.
Circling around to law and policy, and in order to get to the point of this blog, let’s lay down some basic tenants. Although signs are that employment law may be softening around the edges of this rule, the law generally from state to state on the question of who owns and controls an employee’s email is the employer and to which the latter party has almost complete and unadulterated access unless otherwise stated in explicit protections in corporate policy. That exception sets the thought about policy out clearly: a corporation, including a not-for-profit private academic institution, can create its own policy regarding access and disclosure that is above the floor of the law. State institutions, by the way, might well do the same, and with the added thought that somewhere in the miasma of these issues does lurk constitutional protections, although how they balance out with employment law is not well settled law. So there we have the foundation: whether state or private, a policy on email access and disclosure serves the institution in order that it may avoid these unsettled and thorny questions that float around the legal underpinnings of email.
What Should That Policy Be?
One of the most controversial policies upon which I had to work at Cornell -- but ultimately also one of the most successful -- was our policy on the access and disclosure of email. It took, if memory serves me, about five years (which is not the longest time, by the way, but long enough!). It began when the Vice President, Polley McClure, asked me to craft such a policy. Every good policy, whether institutional or national, should begin with a pressing need. In this case, the most pressing need was the arbitrary and capricious manner in which people without technical access to employee’s email would use supervisory authority, personal friendships or other forms of informal associations with the people who did have access to acquire mail for any variety of alleged reasons, all because of the failure of an instantiated, approved and appropriately balanced set of rules and practices to normalize the process. A strong value proposition underlined her request: a belief that privacy is a fundamental and essential component of academic life, and that quality extends throughout the university, not with faculty alone. A sidebar: Polley McClure has never adequately been recognized for her contribution to higher education on this particular point but surely deserves to be. Done, at least here.
Back to the story: so off I go out into the wilds of the university to sell my wares on the idea of this policy and begin to craft language that appropriately balances the needs of faculty, staff and students as separate and not entirely equal constituencies on this matter with the functionality of the technology and the needs of the institution to operate without unnecessary hindrance all in the mix. Essentially, the rule boiled down to a list of reasons for which access and/or disclosure would be provided, such as legal papers or in health and safety emergencies. For all other reasons, for example internal investigations of alleged violations of policy (for example, an investigation of sexual harassment), permission for the access or disclosure would have to come from the highest administrative constituent official of the individual in question (for example, if a non-academic employee, then the Vice President of Human Resources, if a member of the faculty, then the Provost).
L-O-N-G story short, it comes down to a discussion, shall we say, between our offices of counsel and human resources. In one of the top five moments of my ten-year career in this job, Polley calls them both to a meeting to facilitate conversation and negotiate a resolution. Counsel’s concern was not unusual; it did not want to have its hands tied to policy given the expansive rights that the law provides the institution. Human resources, on the other hand, had a legitimate concern in tempering supervisory excesses whereby some -- a minority, to be sure – supervisors would take either an exaggerated view of their duties (“how do I know my staff is doing a good job unless I can see what they are doing in email?”) or a prurient interest in their employee’s communications. What I thought was particularly noble was how the vice president represented the larger principle at stake. Paraphrasing from memory, I recall something to the effect of her wanting to create a “philosophy of trust” in the workplace. Smartly, she thought that this policy supported that goal.
In sharing stories among colleagues about how their email disclosure policies emerged, I learned that sometimes the tables would be flipped. Counsel’s office would want clearer rules so as to avoid situations without boundaries that would result in legal actions and HR wanted unfettered access! What remained true across the board is that if there ever was a policy that demonstrated my theory that “policy is an IT professional’s friend,” this was the one. In the years before the promulgation of this policy I spent no small amount of time answering questions from network administrators, human resource personnel, deans and employees about any variety of story whereby someone wanted something, the legitimacy of the request almost always debatable, suspicions and paranoia prevailing among the parties and emotions at a fever pitch. Caught in the middle would be the IT person who had the technical access, and all they ever really wanted was to get out of the middle. This policy, which set the terms and created an appropriate path of legitimacy, did a great deal to simmer those tensions down.
Once everyone at the table had a better understanding of the larger picture of good that would come of the policy so long as it was carefully calibrated not to tie the hands of the university and to free up the trust among users of the technology, it did not take too much longer to work out the specific procedural details of what to do in exigent circumstances such as access to an employee’s account if they got hit by a proverbial bus without compromising a password or graduated access in the health and safety investigation of a student whose case presented to authorities a reason for concern. That policy exists today and may be found here: http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/informationtech/mailstewardship.cfm .
Just retelling this nutshell of a story has exhausted me! Next post, soon I promise, will be to tie all of these pieces together and apply them to the Cronon case. In the meantime, do your homework and read this statement  from the Chancellor of the University of Wisconsin, Madison, and former Provost of Cornell University.