All About Information

As promised, here are some comments on the privacy-related aspects of the Virginia Tech state report. I’ve split this post into a part on legal issues and a part on policy issues.

Legal Issues - With no golden rule, strong policy should guide

Not all risks can be effectively mitigated by detailed policy, but given the need for decentralized decision-making about the sharing of information and the apparent inaccessibility of privacy legislation to laypersons, the student-at-risk/catastrophic violence challenge is clearly one that should be addressed through the promulgation of good policy.

Here’s a key quote from the report:

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option—even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Following this theme, the report runs through a number of disclosures in the Virginia Tech case that could have been made, were not, but would have been permitted under applicable state and federal privacy laws.

Similar to the situation in Ontario (where I practice), in Virginia there’s no single “golden rule” or simplifying model to help teachers, administrators and student volunteers figure out what information can be shared about a student at risk, with whom and under what circumstances. Rather, there are a number of different rules - disclosure “exceptions” to be slightly more precise. These exceptions apply indirectly to the scenarios that commonly confront individuals in university and college communities.

In Ontario, for example, when teachers learn of disturbing behavior in the course of teaching, the legality of reporting that behavior to a case management team is ordinarily governed by the “need to know” rule or exception - i.e. the report is lawful if “necessary and proper in the discharge of the institution’s functions.” While this language may allow a lawyer to interpret whether a disclosure is permissible based on a set of facts, without specific guidance on what to do when a student demonstrates objectively threatening behavior, how’s a teacher to know whether reporting the behavior is permissible?

Post-secondary educational institutions must have systems in place that encourage the exercise of sound judgement and due diligence. Enabling the reporting of information about certain student behaviors through policy so these systems can function on complete and valid information is critical to their effectiveness.

Policy Issues - Parental disclosures and safe harbour provisions

I’d like to identify two good policy issues raised by the report, one for consideration by schools and another for consideration by government.

Issue 1: Should post-secondary educational institutions pursue a policy of sharing information about adult students at risk with their parents?

Consistent with the United States Department of Education’s philosophy on parental involvement, the state report clearly favours information sharing with parents:

During his formative years, Cho’s parents worked with Fairfax County school officials, counselors, and outside mental health professionals to respond to episodes of unusual behavior. Cho’s parents told the panel that had they been aware of his behavioral problems and the concerns of Virginia Tech police and educators about these problems, they would again have become involved in seeking treatment.

I’m not sure what Canadian post-secondary institutions will want to do with this. Is it reasonable to assume that all parental relationships will be supportive? How will institutions know if there is a benefit to the disclosure? If the decision to share information with parents is discretionary, what factors should inform the exercise of discretion? To what extent should schools rely on a disclosure to parents as a complete discharge of their duty of care (assuming such a duty exists)?

Issue 2: Should governments enact new exemptions to allow for disclosures made in a good faith belief that they are necessary for protecting health and safety?

The state report recommends this type of “safe harbour” exemption as a means of cutting through the confusion about how existing and general privacy exemptions apply to the health and safety problem illustrated by Virginia Tech. It states:

Laws protecting good-faith disclosure for health, safety, and welfare can help combat any bias toward nondisclosure.

The current health and safety exemptions in Ontario’s public sector privacy and health privacy statutes are objective standards that are based on a “serious harm” threshold. Short of this relatively high threshold, disclosures are only permitted under other more general exemptions like the “need to know” exemption noted above (which applies only to internal disclosures) or the similarly-obscure “consistent purpose” or “law enforcement” exemptions. Would acceptance of the safe harbour proposal lead to an appropriate clarification of the law? Is it important that privacy legislation be made accessible to laypeople? Will this type of amendment harm the integrity of the legislation?

***

I’m just scratching the surface with these comments, but hope they provoke some good thought amongst those who are interested in this subject. It’s a sad one, but I like the privacy-related ideas that have been raised following the shootings because they are simple, compelling and important. Look for more posts on campus security and privacy in the future.

The state panel struck by Virginia Governor Tim Kaine released its report on the April shootings yesterday. Once again, the report has some strong comments on the need for information-sharing, at one point stating, “Information privacy laws cannot help students if the law allows sharing, but agency policy or practice forbids necessary sharing.”

At this point I have only scanned the report and read the summary, but may post a comment after reading the (lengthy) report in full.

See the University’s internal “Interface” report here and the special report to the President of the United States here. I’ve posted about the incident here and written about here.

This is a continuation of two earlier posts, one that spoke about an employer’s duty to maintain a harassment-free workplace as justification for routine e-mail surveillance and another that highlighted the different position that a post-secondary educational institution is in, at least vis-a-vis institutionally-administered e-mail accounts.

The United States v. Heckenkamp decision of this April is another illustration of how employers and post-secondary educational institutions are different. In it, the United States Ninth Circuit of Appeals held that a state university violated a student’s expectation of privacy by conducting a remote search of his own computer (connected to the university’s network from his dorm room) in an attempt to prevent an attack on its network. Despite this finding, the Court nonetheless held the evidence obtained was admissible in the student’s criminal trial under the American “special needs” doctrine.

I won’t comment directly on the case, but encourage you to read this good editorial by the Stanford Law School Center for Internet and Society’s Jennifer Granick. Ms. Granick focusses her critique on the Court’s application of the “special needs” exception (appropriately, as it determined the outcome of Mr. Heckenkamp’s case). She chooses not to address the subtle implication in the case that the university could have diminished Mr. Heckenkamp’s expectation of privacy, by promulgating a more strongly-worded network access policy:

In the instant case, there was no announced monitoring
policy on the network. To the contrary, the university’s computer
policy itself provides that “[i]n general, all computer
and electronic files should be free from access by any but the
authorized users of those files. Exceptions to this basic principle
shall be kept to a minimum and made only where essential
to . . . protect the integrity of the University and the rights and
property of the state.” When examined in their entirety, university
policies do not eliminate Heckenkamp’s expectation
of privacy in his computer. Rather, they establish limited
instances in which university administrators may access his
computer in order to protect the university’s systems. Therefore,
we must reject the government’s contention that Heckenkamp
had no objectively reasonable expectation of privacy
in his personal computer, which was protected by a screensaver
password, located in his dormitory room, and subject to
no policy allowing the university actively to monitor or audit
his computer usage.

This raises some interesting questions given that a post-secondary institution has a relationship with its student users that’s much like a relationship between a commercial internet service provider and its customers. Would a commercial ISP have felt compelled to search Mr. Heckenkamp’s computer to protect its network? Would privacy legislation permit the a commercial ISP to impose a condition of service that allowed it to conduct such a search? Are guarantees of academic freedom a reason for post-secondary institutions to be even more cautious than a commercial ISP in promulgating search-friendly network access policies?

These are all important questions. Of course, employers are in a different position than commercial ISPs and post-secondary institutions because they can establish policy to restrict employees from connecting their own computers to their networks. To the extent employers choose to depart from this ideal (by allowing employees to remotely access their networks from their own computers, for example), they open up a world of risks, one of which is well-illustrated by Heckenkamp.

Thanks goes to my colleague Paul Broad of our privacy group for his great input on this post.

As I’ve posted about here and written about here, the Virginia Tech shooting has served as a good discussion point for how a post secondary institution’s duty to maintain a safe campus environment should be balanced against its duty to respect student privacy. Yesterday the University released reports from three internal committees struck shortly after the incident to examine the strengths and weaknesses of its systems. One of the reports, that of the school’s “Interface Group,” examines the security/privacy balance and echoes some of thoughts about the need for information sharing that were first expressed in the special report made to President Bush on June 13, 2007. For a flavour, here’s of one of the internal group’s seven recommendations:

Effective communication among units regarding at-risk students is essential. There are a number of recommendations intended to enhance communication in the system including conducting on-going training for personnel on the application of the Family Educational Privacy Act (FERPA) in the discussion of cases, clarifying public statements in university policy on how FERPA is applied, establishing a central university contact who has a comprehensive picture of distressed students who have been assessed by the system, clarifying policies for communicating with external agencies regarding acutely distressed students, and implementing a new policy for emergency notification for students.

According to the New York Times, a report from a panel struck by Virginia Governor Tim Kaine will be released late next week.

In my post yesterday I suggested that employers in some circumstances may be presumed to have constructive knowledge of employee e-mails and that this may justify routine e-mail monitoring.

Let’s push the idea of constructive knowledge a little further.

Consider the Virginia Tech shooting. Let’s say Cho Seung-Hui, the troubled 23-year-old shooter, had an accomplice and let’s say Cho and the acomplice planned the shooting by way of e-mail exchange. Could the University be liable for failing to take reasonable steps in response to the e-mail exchange? In other words, would it have breached a duty (either a civil duty or perhaps one based in occupational health and safety legislation) to monitor its e-mail system to identify threatening e-mails and respond appropriately?

I’ve been thinking lots about the privacy-related implications of Virginia Tech and wrote about it with my colleague Catherine Peters several months ago. As universities and colleges across North America are thinking through their security-related policy, I wouldn’t be surprised if routine, software-aided e-mail surveillance is under consideration at one or more institutions.

Could it be justified on the basis of a competing legal duty? The most directly-applicable case law is American, and tends to suggest the answer is “no.”

In Shin v. MIT the Commonwealth of Massachusetts Superior Court allowed a wrongful death action to proceed against a suicidal student’s residence don and MIT’s dean of student affairs - finding they did have a duty to take reasonable steps to secure the student’s short term safety. The case caught the attention of colleges and universities who would argue (as MIT did) that the relationship between a student and a post-secondary educational institution is not close enough to warrant a duty to protect students from harming themselves and others. The duty endorsed by the court is seemingly triggered by the formation of a quasi-custodial relationship marked, in its words, by the “imminent probability of harm.” On this reasoning, at some point after a student is designated “at risk” (voluntarily or otherwise) a school’s duty crystallizes. At the same time, the student’s right to privacy becomes diminished.

As for the duty to protect the campus community at large (where the risk is generalized rather than specific), the duty is more likely to conflict with privacy rights. This is well-illustrated by another Commonwealth of Massachusetts Superior Court decision - Bash v. Clark University from last November. The student who attended at Clark and died from a heroin overdose at the end of her freshman year was far from trouble-free. In her one year at the university she had been noted a number of times for alcohol related misconduct, placed on academic probation, referred to counseling and questioned about drug use (where she admitted trying heroin). The Court held the University and its administrators did not owe the student a duty of care. It made the point that the standard for the imposition of a duty is high because of competing “social values,” including privacy values:

Third, recognition of the existence of a legal duty on the part of university officials and staff in this case would conflict with the expanded right of privacy that society has come to regard as the norm in connection with the activities of college students. The incursion upon a student’s privacy and freedom that would be necessary to enable a university to monitor students during virtually every moment of their day and night to guard against the risks of harm from the voluntary ingestion of drugs is unacceptable and would not be tolerated.

So short of some threshold - which is high according to this Court’s reasoning - a school’s duty is limited and student privacy rights remain undiminished. This certainly weighs against a duty and corresponding right to conduct routine e-mail surveillance as a means of managing the risk of catastrophic on-campus violence. It also supports an argument that a university or college will not likely be held to have constructive knowledge of e-mails sent over its system in the same manner as would other organizations.

While this reasoning may not give university and college administrators comfort when contemplating the Cho Seung-Hui scenario presented above, they can and should take other steps to assess and monitor potential threats (including reasonable grounds e-mail searches). If they are confident that these means will not be effective, depending on local laws, routine e-mail monitoring may still be an option. My only point, and I hope it’s a useful one, is that privacy rights must fit with (and be limited by) competing legal duties.