Last June, the NRC claimed that former ESHCC dean Dymph van den Boom had plagiarised other people’s work in several speeches. Van den Boom suddenly stepped down as dean shortly before the article in question was published. The Executive Board recently stated that it had ‘received indications’ that the source of these charges came from within EUR. It has hired an external research bureau to find out who was behind the leak – by browsing through staff members’ e-mail correspondence, among other things. But is this actually allowed? According to the Executive Board, the legal basis for this step lies in EUR’s regulations governing the use of internet and IT facilities. After reviewing the regulations, legal expert Arnoud Engelfriet of the consultancy ICTRecht explains to us what’s going on.
Confidential
Let’s start with the regulations themselves. “It appears to be a sound document, and as such it is legally valid,” says Engelfriet. We move on to the investigation itself. “It counts as a privacy infringement, meaning that it has to satisfy certain prerequisites: that there are concrete indications – as indeed stated by EUR – and that the reason for investigation is outlined in the regulations.”
The university refers to Article 9, sub 7, which states that EUR is only permitted to access staff members’ accounts or computers ‘in urgent cases, in the event of a concrete suspicion of a breach of these Regulations’. Checks are permitted in the context of the objectives set out in the second article. Article 2 lists a number of objectives, including ‘sexual harassment’, ‘criminal offences’ or ‘discrimination’. But also ‘preventing negative publicity’ and ‘protecting confidential information held by Erasmus University’.
“This case belongs to the latter category,” says Engelfriet. “Confidential information is a broad legal concept, which also covers leaks about information that is damaging to an organisation. Particularly when – as argued by the university – existing procedures have not been followed: the staff member in question should have first turned to the Executive Board with this issue.”
Easter eggs
“Going directly to the papers is too drastic,” explains Engelfriet, “plus it forces the university to take serious measures against the individual accused – to allay the public, among other things. During a media frenzy, there’s no room for nuances and not much scope for further discussion.”
It would have been different if the staff member had first contacted his or her manager with these accusations of plagiarism, but the university hadn’t made work of them. “In that case, the staff member could have been covered by the whistle-blower’s scheme, which would then be the context determining whether his or her actions are legally defensible.” However, the precise workings of this scheme lie outside Engelfriet’s field of expertise.
What if the leak amounted to nothing more than tipping off a journalist that Van den Boom had committed plagiarism in a public document? “It could still count as confidential information. While the document may be found in the public space, how is a journalist supposed to know where to look? At Eastertime, we also hide eggs in the public space. But if you told people where to find them, you’d be in breach of the rules.”
In short: if we accept the Executive Board’s version of affairs, it is legally defensible for EUR to hire an outside agency to check staff members’ e-mail correspondence. But if we accept the version argued by the Chair of the Faculty Council in Erasmus Magazine, this case would actually fall under the whistle-blower’s scheme.
Decent
Leaving the question: which steps is the university authorised to take under the regulations? “It’s important that the first step always constitutes the smallest possible infringement on someone’s privacy. In addition, the employees in question need to be notified. Where required – and provided it’s proportionate – they are allowed to scale up their activities. So, for example, first determine who e-mailed the journalist, or look for key words without opening the actual messages. If they find something, they could then be allowed to read the contents.”
In Engelfriet’s assessment, hiring an outside agency was the ‘decent’ thing to do. “Imagine asking a colleague who could actually run into these staff members in the hall to view their inboxes? That would be awkward and unprofessional.” And he also understands why the Executive Board would want to get to the bottom of this affair: “You want to know why someone leaked to the press; was it justified or part of some personal vendetta?”
And if the university found serious indications in the contents of staff members’ e-mails but nothing conclusive, it could defensibly even check their online activity on private devices, adds Engelfriet. He is referring to Article 4, sub 9. This leaves scope for the responsible administrator to gain access to private devices that have been connected to the EUR network – like a laptop, tablet or phone – to enforce regulations.
“The same rules apply to these private devices as do to office equipment – in other words, the same concepts of necessity and proportionality,” explains Engelfriet. “Although the university will have to carefully consider whether it is proportion to the suspected irregularity – particularly in a case like this. And actually, I could never imagine a situation that justifies checking strictly private exchanges: a WhatsApp conversation between me and my partner, for instance.”