Proposed electronic appropriate use policy proposal raises concerns over privacy
January 10, 2019
Northwestern is in the process of reviewing a new electronic resources policy that, when put into effect, would more easily allow the University to access information transferred on NU networks or systems.
The proposed policy, which is open to community review until Jan. 17, outlines the procedure and rights the University has to access “Electronic Resources.” The policy defines “Electronic Resources” as “computing and telecommunications devices and systems that can execute programs or access, store, or transmit University Information.” It adds that the resources can be stored on technology such as servers, networks, smartphones or computers.
Thomas Murphy, NU’s chief information security officer, said policies like the one proposed are common at both private and public universities. He added that the update of the policy was underway before his arrival in 2017.
The policy was first issued in March 2010 and was last reviewed in Dec. 2013, according to the Office of Information Technology website. Andrea Bueschel, the associate provost for strategy and policy and chair of the policy review committee, which drafted the new policy, told The Daily in an email that the feedback will “inform the final version that will become the official policy.”
Political Science Prof. Jacqueline Stevens said the proposed policy is worse than the previous policy because the vague language used in the document could be interpreted in a way to access sensitive information without the user’s knowledge, such as a faculty member’s research.
“This policy allows Northwestern and its trustees to have access to those files,” Stevens said. “So because of these kinds of policies and the people who are running them, I don’t store information that’s connected to my research on the Northwestern Box.”
According to the proposed policy, Northwestern personnel will have to receive approval from the Office of General Counsel and various other offices, such as the Office of the Provost and Human Resources, before accessing the information.
Murphy said the University will implement a process of sending requests through the individual offices so there isn’t unauthorized access to personal information. Typically, he added, the files would only be accessed for University “business continuity.”
“Those people provide a gate such that there isn’t approval or unnecessary access to the data,” Murphy said. “Through their approval process and the Office of the General Counsel, we make sure we’re abiding by all applicable laws.”
When handling confidential information, Murphy said other specific guidelines set forth by the Office of Information Technology will be followed.
Murphy added that major changes to the policy include shortening it from 14 to five pages, simplifying the terms and language and formatting the document to clearly show the required procedures when requesting the electronic resources.
After the community review period ends on Jan. 17, Murphy said the committee will discuss the comments. He added there has not been an official date set for the policy to go into effect, but it will likely happen at the next committee meeting.
If the policy is approved by the committee, Stevens said she thinks it will cause more members of the NU community to turn to alternative storage options and personal email addresses.
“When the University has this kind of heavy-handed surveillance policy, it suggests that they have priorities other than encouraging the free exchange of ideas,” Stevens said.
Email: [email protected]
Twitter: @lizbyrne