On November 4, a Harvard research study that secretly photographed faculty and students in class came to light. The study, approved by Vice Provost Peter Bol, was conducted in 2013 to study student attendance at lectures. Whether one thinks such a study was a violation of privacy or only to be expected on a camera ubiquitous campus, one issue is clear: Harvard and other universities need their own set of privacy principles akin to the Fair Information Practice Principles. In fact, every learning environment where academic freedom and trust are paramount should articulate values that serve as a guide for community interactions that implicate privacy. Harvard has principles governing research. Why not for the privacy of students, staff, and faculty? In this respect, Harvard’s Policy on Access to Electronic Information, approved just this past April by the Harvard Corporation, is too narrow if not inadequate.
To demonstrate the current Policy’s inadequacy, consider two ways to interpret the Policy as it relates to the recently revealed research study. Interpretation A: the Policy does not apply to the study. The Policy regulates access to electronic information. Surreptitiously taking pictures of students to measure class attendance is not the same as accessing their electronic information. This interpretation is unsatisfactory, because it suggests that taking photos can serve as a workaround. After all, instead of taking photos, Vice Provost Bol could have just asked faculty for attendance records. But asking for attendance records would have triggered the Policy and require authorization from the faculty’s dean. Because attendance records also can be interpreted as student’s information, authorization from the students’ school dean might also have been required.
Interpretation B: the Policy does apply. There are also many issues with this interpretation, but I’ll focus on just three: First, from the facts given, it seems that the Policy was not followed. Assuming that the study was underway before the Policy was enacted, there still doesn’t seem to have been any effort to comply even after the Harvard Corporation approved the Policy. The Policy clearly states that if access is related to a faculty member, then the dean of the relevant faculty must provide authorization. If access is related to a student, then dean of the relevant school must provide authorization. In exigent circumstances, the General Counsel may provide authorization. As far as we know, no dean or member of the General Counsel’s Office was consulted before or during the study. In fact, it appears that no dean or member of the General’s Counsel Office even knew about the study until it was brought up at the November 4th faculty meeting. Second, there is a degree of awkwardness in interpreting accessing a user’s electronic information as taking pictures. Third, in a situation where a lecture is being photographed without consent, whose information is being accessed? The faculty member’s? The students’? Both?
These problems demonstrate why the Policy’s focus on access to electronic information is too narrow. These problems also demonstrate why a set of broader privacy principles such as the right to know when and what data is being collected is needed. Privacy principles are not meant to substitute for obligations under existing polices and laws. Rather, privacy principles are meant to help guide decisions that arise in the university when the existing policies and laws are ambiguous or not easily applicable to new situations by providing community-driven norms and values. When articulating these values, students and staff employees should be at the table. While public input was sought through meetings and online surveys, Professor (now Hon.) David Barron’s Electronic Communications Policy Task Force, which wrote the Policy, did not have a single student or clerical worker serving as an actual committee member. Privacy affects the entire Harvard community—not just professors, deans, and directors.
The temptation to observe, gather data, and investigate using electronic surveillance will only grow stronger in a digitally ubiquitous, data-driven world. Without a set of clear principles, Harvard will continue to fumble the ball on privacy. Besides, the Sisyphean task of setting up a committee to write a report every time a privacy related controversy happens is nobody’s idea of a good time. A good starting point for forging these privacy principles? Harvard’s very own motto: Veritas.