Months after leaked documents detailed the National Security Agency’s monitoring of American citizens’ email accounts and a scandal erupted at Harvard over administrative access of communications by faculty, Yale employees remain largely unaware of the conditions under which the University can monitor their online correspondence.
Through its acceptable use policy and a statute outlined by the State of Connecticut, the University can legally access employee email accounts — and in specific instances, without the consent of the user. While instances of employee electronic monitoring have been infrequent, administrators said it has occurred, though they did not elaborate on the circumstances. Although all faculty and staff interviewed said they are not surprised by the possibility of monitoring, few were familiar with the details of the University’s policy.
In an interview with the News, University President Peter Salovey emphasized the importance of reaching an institution-wide consensus on Yale’s policies and employees’ expectations of privacy.
“It’s very important that everyone share a common understanding and be clear,” Salovey said. “I’m really worrying about the danger of people not coming to a consistent understanding of what our policies are, and being sure that they’re not buried in the fine print.”
But misunderstandings about the Universities policies extend to the highest reaches of the administration.
University Provost Benjamin Polak — who has held his post for nearly one year and is technically responsible for reviewing requests for non-consensual monitoring of employee email accounts — said that he had never dealt with a request for monitoring and was unaware of Yale’s practices.
“As far as I know we don’t do surveillance,” Polak said.
But according Salovey, Yale does in fact monitor employee email accounts without user consent, albeit infrequently. This monitoring is in accordance with the University’s acceptable use policy and a notice required by state law posted online.
“During the four and a half years I was provost, it was a very, very, very rare occurrence,” Salovey said. “Almost never, but not quite.”
The University outlines how it may monitor employee email accounts in its Information Technology Appropriate Use Policy, section 1607.2. This section of the document, which is linked on page 180 of the Faculty Handbook, states that, although the University places “a high value on privacy,” there are nevertheless circumstances in which non-consensual monitoring can occur.
“The University may determine that other considerations outweigh the value of a User’s expectation of privacy and warrant University access to relevant IT Systems without the consent of the User,” the document reads.
According to the document, several circumstances warrant access to employees’ emails: “preserv[ing] the integrity of the IT systems, complying with “federal, state, or local law or administrative rules,” carrying out “essential business functions of the University,” “preserv[ing] public health and safety” and producing evidence when “there are reasonable grounds to believe that a violation of law or a significant breach of University policy may have taken place.” The University may also access the account of a former employee if there is “a legitimate business reason to access” the account.
Accessing a faculty account requires obtaining approval from Polak and Vice President for Human Resources and Administration Michael Peel, as well as the appropriate school dean. Still, the document notes that no approval is necessary when emergency access is needed to “preserve the integrity of facilities or to preserve public health and safety.”
The document does not say, however, who submits the request for monitoring or who ultimately reviews any email messages obtained.
According to Susan West, associate director of strategic communications for ITS, the University does not archive the results of any monitoring, although she added that “depending on the circumstances, there may be a need to temporarily preserve some email messages.”
A second document, linked under the Human Resources page on the University’s website, is intended to alert employees to Yale’s right to monitor them electronically without consent. According to the notice, the University can legally monitor its employees’ activities via the following methods: telephone, hidden cameras, computer, radio, wire, electromagnetic, photoelectronic or photo-optical.
Yale posted this notice in accordance with Section 31-48d of the Connecticut General Statutes, which also states that the notice must be placed in a conspicuous location.
Of the 12 Yale employees who responded to requests for comment, all said they expected the University to have access to their email accounts in some capacity. Still, none had seen the notice.
“Possibly the University sent out one of the lengthy missives from HR inviting us to open their website to find out various information — which people as often as not don’t have time to do — and thus effectively buried it,” said Suzanne Boorsch, the curator of Prints, Drawings and Photographs at the Yale University Art Gallery. “Or perhaps it was just quietly put onto the website, without alerting employees. Certainly attention was not called specifically to this document.”
Gary Pechie, director of the Wage and Workplace Standards Division for the Connecticut Department of Labor, which is responsible for enforcing the law requiring that the notice be placed conspicuously, said that any employer using electronic monitoring is responsible for making workers broadly aware of the notice and all relevant policies.
“[The 31-48d notice has] got to be in a place that employees frequent,” Pechie said.
Pechie was quick to add that there have been no complaints against Yale related to the monitoring law. He also added that the fact that “law hasn’t caught up with technology” is problematic in finding ways to effectively disseminate information about policies.
Kenneth Jackson, the director of undergraduate studies for Portuguese, said he had never seen the notice before, adding that it was not posted in a conspicuous location nor did it address who can authorize electronic monitoring.
The notice required by section 31-48d states any questions should be directed to the Department of Human Resources. Peel did not respond to request for comment.
According to Pechie, the first-time fine for a violation of the 31-48d statute is $500.