Dartmouth Announces Policy on Accessing Electronic Data

The new policy clarifies when and how the College may access user data.

Dartmouth has recently published a new policy, developed and approved during the 2018-2019 academic year by the Council on Computing, aimed at clarifying the circumstances under which authorized College officials may access electronic information stored in or transmitted by Dartmouth systems, such as computers, servers, email, voicemail, and mobile devices.

The policy, known as Access to User-Related Electronic Information at Dartmouth, elaborates on the College's existing Acceptable Use Policy (AUP), which governs how faculty, students, and staff can use Dartmouth's information technology resources.

Chief Information Officer Mitchel Davis, a member of the council, says the decision to articulate a policy specifically on how and when the College may access user-related electronic information came about during a review of the AUP, a revised version of which is expected to be published in the near future.

"We realized that the existing AUP did not adequately describe the circumstances under which Dartmouth might access data collected during the operation of its information systems, and we decided to create a separate policy to address this," Davis says.

Sean McNamara, the interim senior director of information security, says the intent of the new policy, which is consistent with the policies of Dartmouth's peer institutions, is to promote transparency and trust.

"I believe it's important to emphasize that we understand and respect the value of our community's data," McNamara says. "Dartmouth is committed to transparency and wants users of our information systems to understand the circumstances that data may be accessed—and what to expect if it is."

While it is rare for the College to access users' electronic information, it does gather some information passively, such as login and geospatial data from Wi-Fi connections and card-reader access to facilities. The new policy outlines the principles the College adheres to when determining if and when to access user data beyond this. For example, the policy states that Dartmouth officials may access data only when authorized to do so in cases determined to meet a legitimate institutional need, such as an emergency where the safety of campus is threatened or there is a potential violation of law or Dartmouth policy. This legitimate need limits what information officials may access.

Further, such information may only be shared with those who have a "reasonable need to be involved."

When the College decides it can access user data, it will make "reasonable efforts" to give timely notice to the user, unless legal constraints, determined by the Office of General Counsel, prevent giving such notice. And the College maintains records of how it accesses user data, so that these decisions can be reviewed.

An oversight committee made up of faculty and senior administrators will review cases, make recommendations to the president about the policy, and provide periodic public reports on how it is being implemented. This committee will be appointed by the provost.

The new policy is important, McNamara says, because "information is the currency of the modern world."

"Any time you use an information resource, data is collected and stored. It is important to understand how that data is accessed and used," he says.

"Dartmouth wants its community to understand the circumstances under which stored or transmitted data might be accessed by authorized Dartmouth personnel. We want to promote an environment of mutual trust, where we are transparent about what our community can expect from us as well as what we expect of our community. It's a part of a broader dialogue we hope to have with our community about technology and its role in our everyday lives."

Hannah Silverstein can be reached at [email protected].