Harvard University recently had some explaining to do. Last fall, the University conducted an investigation into the source information leaked to the media about students at the Ivy League school who had cheated. The investigation included searching the work e-mail accounts of 16 Resident Deans without telling them. Although the University eventually told the one Dean who has been the “source” of the leak about the search, the rest of the Deans did not know that their e-mail accounts had been searched until a newspaper reported on the searches this month.
Resident Deans live among students and act as their advisors. However, they also teach courses but are not on track to become tenured professors. Each Dean is given a personal Harvard e-mail account and one to use specifically in their role of Resident Dean. It was the latter type of e-mail account that was searched by Harvard.
Some of the Resident Deans reacted angrily to the search, calling it a breach of privacy and trust. The Deans also said they should have been told about the search earlier pursuant to the University’s policies. Harvard’s policies allow it to search employee e-mail accounts including those of faculty members. However, faculty members must be told about the search either before it happens or immediately after it is completed.
Harvard defended its actions, stating that it did not notify the Deans of the search in order to protect student privacy and the identity of the person who inadvertently leaked the information. The University also insisted that only the “subject” lines of work e-mails were searched, not personal accounts, and that no e-mails were opened. Interestingly, Harvard also said the e-mail accounts searched were associated with the Deans’ administrative roles as Resident Deans. This raised the question of whether Harvard considers the Resident Deans faculty members for purposes of notification under its own policies.
While it is not known if any Resident Dean will pursue legal action against Harvard, this incident offers lessons for employers regarding e-mail communications in the workplace.
Employers should adopt a written electronic communications resources policy that puts employees on notice that e-mails, texts and voicemails sent over employer owned property may be monitored, and that employees do not have a personal privacy right regarding such communications. The persons who will be subject to the policy should also be clearly stated. At Harvard, it appears the University did not define whether the term “faculty member” includes Resident Deans. Thus, an employer’s electronic communications policy should clearly identify who is subject to the policy such as volunteers or part-time or seasonal workers. The policy should also notify employees that the electronic communications systems belong to the employer and should only be used for legitimate business purposes. Along those lines, employee should also be notified that any information learned from the employer’s electronic communications systems should only be disclosed to authorized employees.
Finally, an electronic communications resources policy may only allow monitoring of electronic communications routed through the employer’s equipment and property. In the event a third party provider is involved in the transmission or storage of electronic communications, employers should obtain the employee’s written consent to access these communications in order to preserve the right to monitor them. Third parties will likely not release the information to employers absent written consent from the employee.