Digital Privacy, Compulsory Information Disclosure, and E-Discovery

• By David W. Dodd
• 11/01/08

Among the many legal issues that are particularly challenging for higher education is that of privacy. Colleges and universities are traditionally open environments that promote free inquiry and the sharing of information. At the same time, security threats to individuals, information, facilities, and systems have never been more serious. Anonymity was once considered a basic assumption for Internet users. However, as threats have increased, the need for ensuring accountability for actions through assigned individual identities has become a more pressing concern than preserving anonymity, and, in turn, privacy. As a result, the policy, legal, and political landscape for privacy and security has shifted enormously in recent years. Privacy has become inextricably linked to security.

Striking a reasonable and effective balance between privacy and security is a serious challenge for institutions today. Security is identified by EDUCAUSE as the top IT concern for 2008. In fact, security has been among the top five issues on the list for more than a decade. Identity and access management are currently ranked fifth. While members of the academic community have long been concerned with safeguarding individual and informational confidentiality, institutions are increasingly tasked with achieving a very difficult balance between the conflicting concerns of privacy and security.

Numerous state and federal codes and laws deal with these issues, a flurry instituted after the events of 9/11. The names have become part of our daily existence: FERPA, HIPAA, FSMA, USA-PATRIOT Act, Homeland Security Act, SEVIS, and others. Each sets forth requirements concerning information privacy and confidentiality that have substantial implications. Two of the many significant features of this legislation for institutions are the compulsory disclosure of library records and the prohibited disclosure by anyone of information about an investigation.

The question of privacy and confidentiality in a legal discovery context is also rapidly evolving, and has enormous ramifications. As recently noted by the New York Law Journal, today nearly all forms of electronically stored information are subject to legal discovery; a process typically referred to as e-discovery. This became recognized formally by changes to the Federal Rules of Civil Procedure (FRCP) in December 2006, which defined new requirements for the treatment of electronically stored information in legal proceedings. A number of cases during the past decade have resulted in decisions consistent with a broad application of e-discovery, with courts affirming the principle that digitally stored information is subject to discovery and must be supplied in a timely and complete manner, and that failure to do so will result in substantial penalties.

Although changes to the FRCP specifically defined sound recordings as discoverable information, a safer position taken by organizations generally is to treat any electronic information as subject to discovery, including documents, e-mails, Web pages, Wikis and blogs, etc. A number of newer technologies, including voice over Internet protocol (VoIP) and unified messaging, must be specifically dealt with in crafting updated policies, procedures, and user education programs. For example, voicemails and other recordings once thought to be beyond the reach of legal discovery are now fair game in most situations. Further, institutions may find that they are not only responsible for turning over digital information and records, but also for maintaining a catalog of those digital files to help satisfy archival and disclosure responsibilities. In other words, institutions should know what digital records exist and how to produce them when compelled to do so. In turn, this should direct institutional policies and procedures concerning digital information storage.   

Specifically, institutions should work with legal counsel to establish records retention and archival responsibilities and strategies that satisfy prevailing federal and state laws. Concomitant with this is the requirement to ensure that the users of institutional systems and networks are fully informed concerning the nature of electronically stored information with regard to compulsory disclosure and e-discovery.

Although Americans have generally come to believe that there is a constitutionally protected right to privacy, in fact the word privacy never appears in the Constitution of the United States. Writing for the Supreme Court in Griswold v. Connecticut in 1965, Justice William O. Douglas first recognized privacy as a penumbral right predicated not on the actual wording of the Constitution, but on the principle of implied rights. Technology has clearly heightened issues related to privacy and security, particularly involving digital information. In general, institutions should understand, and help their users understand, that there is far more of an expectation of privacy on the part of the American public than a constitutionally protected right to privacy that is in turn protected by the courts, particularly with regard to digital information privacy. Further, as numerous scholars have observed, the “right to privacy” has generally been in decline in recent decades. I strongly recommend that institutions proactively take steps to understand and meet their responsibilities concerning digital privacy, compulsory disclosure, and e-discovery. 

David W. Dodd is vice president of Information Resources and CIO at Xavier University in Cincinnati. He can be reached at 513/745-2985 or [email protected].