By a unanimous voice vote on Thursday, May 13, the Academic Council approved a motion to support "in spirit" a revised policy on electronic communications and security and to leave minor revisions in the hands of the Executive Committee of the Academic Council (ECAC), which operates on behalf of the full council during the summer months.
The existing policy, the ITAC Statement on Security and Privacy was endorsed by the Information Technology Advisory Committee 13 years ago. Duke's information technology security officer, Paul Horner, told the council at its April 22 meeting that the policy required revision to adapt to changes in legal and regulatory requirements since it was enacted. The new Acceptable Use Policy (AUP) has the support of President Richard H. Brodhead, Provost Peter Lange and faculty committees including the Information Technology Advisory Committee (ITAC).
Prior to the vote, members of the council raised questions about Duke's retention of e-mail files and the procedures followed when the university is required to preserve files in connection with a legal process. John Board, associate chief information officer and a member of the faculty in the Department of Electrical and Computer Engineering, said that OIT retains e-mail for a rolling 30 days.
"If you delete an e-mail, OIT would not be able to recover it on the 31st day after it was deleted," Board said. In one other academic institution he knows of, Board said, e-mail is saved in perpetuity.
Professor Richard Hain, who had previously raised concerns about the security of electronic material turned over to Duke officials, recommended again that the "snapshots" taken in connection with a legal action be encrypted. Horner explained that he would have to investigate the issue further, since some legal authorities consider encryption altering the data, which goes against the objective of preserving the files in the first place.
The discussion moved to broader issues than those covered by AUP. Other faculty members called for a policy on privacy and faculty rights, which would serve as a foundation document for the AUP, and a policy on password security.
The vote to approve the AUP in principle was predicated upon Academic Council Chair Craig Henriquez's commitment to bring these issues, including the possibility of requiring all IT personnel to sign confidentiality agreements, back before the full council in the next academic year.