Chances are if you haven’t had an investigation that involved electronic data, you will soon, especially as we continue living in the virtual learning and work environments as a result of the COVID-19 pandemic. In its Title IX investigator certification courses, ATIXA recommends becoming familiar with the types of electronic data your institution collects, how it is stored and for how long, and what is needed to access that data before the need arises. External advisors, investigators, and others who interact with Title IX or other discrimination or misconduct resolution processes for students and/or employees should also understand what an institution may or may not have access to without a court order.
For higher education, data collection may be centralized under the chief information officer’s purview, or it could be decentralized across the institution with various departments managing their own data, or there may be a mix, especially for institutions that operate teaching hospitals, research centers, multiple campuses, etc. External third-party vendors may also store data related to information systems, especially those related to learning management systems (e.g. Canvas, Blackboard, Sakai, etc.). For K-12 schools and districts, district-wide systems are likely managed at the district office with information technology staff members assigned to specific schools for day-to-day support. All institutions should have information security policies and protocols in place which detail the types of information maintained, for how long, how, and when the information is purged, who is authorized to access the information, and for what purposes.
Not only is it important to know what data is available, but it’s also important to know what that data can and cannot tell an investigator. For example, Internet Protocol (IP) addresses are assigned to individual devices by a network; however, IP addresses may be static (fixed or permanent) or dynamic (changing each time the device connects to a network). That means if you have a static IP address for your home network, every time you connect to your home network from your laptop, you will have the same IP address; however, if you take your laptop with you to a conference and connect to the hotel network, you will be assigned a different IP address that is specific to that network. Further, IP addresses are connected to devices, not users, so if someone else is using your laptop at your home, their actions would be reflected with the same IP address as any actions you have taken on that machine.
Higher education institutions vary in their use of static vs. dynamic IP addresses, and some institutions use a combination of both. While an IP address might help an investigator know whose device was connected to the network when an incident happened, additional information would be needed to confirm that a specific person was involved.
To help start the conversation with your electronic data management colleagues, here are some examples of types of data that may be useful for investigation purposes:
- Facility access logs (e.g., buildings, specific rooms, etc.) – this could include card swipe, fob, or keypad entry information
- Video footage
- Equipment rental (e.g., cameras, laptops, etc.)
- Internet history
- IP addresses
- Network access (attempts and successes)
- Login/Logout times
- Electronic posts/comments
- Chat logs/direct messages/
- Phone calls
- Document files
- System access (attempts and successes)
- Location records
Different types of information may be accessed in different ways. Make sure you know who to contact to get access to email accounts, for example, and ensure they understand that your request may be urgent and needs to be authorized expediently. Often, several levels of permission or authorization are needed, and the request may be taken much more seriously if it comes from the Title IX Coordinator (or their supervisor) rather than from an investigator. Also, be clear on the protocol – will the student or employee whose account is being accessed be notified – and if so, before the search or afterward? Advance notice may impact your search, or even defeat its purposes altogether. Will the investigator be conducting the search themselves, and if so, are there boundaries or guardrails on how far the search can go? If IT staff will be conducting the search, prepare an appropriate scope of search terms, dates, file types, and other parameters so that IT will be able to efficiently retrieve the data you are seeking.
In addition to assisting with access to institutional data, information technology staff can also be of great assistance in requesting and understanding electronic data from other sources, retrieving data from an individual’s personal device (with permission), and understanding how electronic applications and systems work and manage data. Given the dynamic nature of electronic systems and data, every second counts when it comes to preservation and access.
Establishing and maintaining a collegial relationship with information technology could save critical time and prevent the loss of data needed for an investigation. Get to know your information technology staff, help them understand your work, and create a protocol for how you will work together prior to an investigation with an electronic data need arising.