Version 1.0: September 2006
Compulsory legal requests for information come in many different kinds -- including law enforcement requests, requests in connection with civil litigation, and public records requests -- and seek many different kinds of information.
Although such requests often -- and nowadays increasingly -- seek electronic records, they are not a strictly "IT issue" even when they do, and they should not be dealt with as such. Rather, requests for electronic records generally should be handled in the same way, and by the same people, as requests for other kinds of information. IT staff can provide invaluable technical assistance when such requests do seek electronic records, but they generally should not be expected to handle those requests on their own.
Each institution should designate a specific person or specific office to receive all requests for information and to coordinate the responses to such requests, and should then direct all such requests to that person or office and require that all responses to such requests come from that person or office. With the possible exception of public records requests, the designee generally should be in-house legal counsel for those institutions that have one, or a senior policy-level administrator for those that do not.
Whoever is designated should, at a minimum, either have or obtain a basic understanding of:
- the nature and kinds of records and information that are maintained on campus and that are likely to be requested;
- the nature and structure of the institution's recordkeeping systems, including but not limited to its IT systems; and
- the institution's record retention policies and other institutional policies and state and federal laws that govern the maintenance and disclosure of records and other information.
Although the responsibility and authority for coordinating responses to compulsory legal requests for information should be vested in a single person or office, the designee should develop a working relationship with the offices whose records are mostly likely to be requested -- at a minimum the registrar's office, human resources, the purchasing and accounts payable offices, the police or public safety department, and the IT department -- and those offices should be expected to assist the designee in responding when the requests seek their records.
The designee should also consider developing a working relationship with the local offices of the law enforcement agencies that are most likely to make such requests, including the local police, the local office of the FBI, the local prosecutor, the state attorney general, and the local U.S. Attorney. In some areas, formal structures may already exist to facilitate such relationships, such as the Infragard chapters that have been organized in various cities by the FBI. Establishing such relationships in advance of receiving a request for information should greatly facilitate the response and provide an opportunity to discuss legal and policy issues specific to higher education institution such as FERPA or protected research data.
The most common form of legal process seeking information, a subpoena is a legally enforceable command for a specified person to appear at a specified place at a specified time, typically to give testimony at a grand jury hearing, trial, deposition, or other legal proceeding. A subpoena duces tecum is a legally enforceable command for a specified person or entity to produce records or things at a specified place at a specified time, either with or without accompanying testimony. A subpoena may be issued by a clerk of courts in connection with a legal proceeding, by an attorney in connection with a federal court proceeding and many state court proceedings, and in some cases by law enforcement officials and administrative agencies in connection with their investigations and proceedings.
2. Search Warrant
A search warrant is a legally enforceable command to allow law enforcement officials to search specified premises for, and to seize, specified evidence of criminal offenses. Unlike subpoenas, which give the recipient advance notice and time to locate the requested information or prepare for the requested testimony, search warrants are effective immediately upon presentation. A search warrant may be issued by a judge or magistrate.
3. Court Order
In certain circumstances specified by various statutes, courts have the power to order the appearance of witnesses, the production of records or things, the disclosure of information, or other form of cooperation with law enforcement officials (such as allowing the installation of a wire tap). Like subpoenas and search warrants, such orders are legally enforceable.
4. National Security Letter
In connection with certain international terrorism and counterintelligence investigations, the FBI and some other federal agencies can order the production of certain communications records and other records. These "national security letters" are, in effect, a form of administrative subpoena.
5. Public Records Requests
Every state has a public records or freedom of information statute requiring public agencies, generally including state-supported colleges and universities, to make many records available upon request. Most such statutes apply quite broadly, with only limited exceptions for specified records raising sensitive privacy concerns.
6. Simple Request
Law enforcement officials sometimes simply request the voluntary disclosure of information. Such requests are not legally enforceable, though failure to comply may result in other consequences.
A subpoena, search warrant, court order, or other form of request is not legally enforceable against the recipient unless the issuing court or agency has jurisdiction over the recipient. In general, a state court has jurisdiction only within that state; in some cases, state court jurisdiction may be limited to a particular county or municipality. In civil cases, federal courts generally have jurisdiction over the state in which they are located and any place outside that state that is within 100 miles of the courthouse. In criminal cases, federal courts have nationwide jurisdiction. The jurisdiction of administrative agencies varies widely, but often is comparable to court jurisdiction. Thus, state administrative agencies generally do not have jurisdiction outside of their respective states, while federal administrative agencies often have broader jurisdiction. National security letters may be issued nationwide. Public records statutes apply onto to public institutions in the relevant state.If you are unsure whether you are within the jurisdiction of the relevant court or agency, you should ask the person serving you for a citation of authority.
Each form of request has certain formalities that must be observed in order to make the request legally effective and binding. While these formalities can vary both by type of request and by jurisdiction, they typically include at least the following:
- The signature of an authorized official.
- An appropriate form of service, often by personal hand delivery. In many, but not all, cases, service by mail is not sufficient.
- Service by an appropriate person. You can and should confirm the identity and credentials of the person serving the request, particularly when it requires an immediate response.
- Service upon an appropriate recipient. Statutes sometimes will prescribe a particular person (e.g., the institution's registered corporate agent, president, or legal counsel) or category of persons (e.g., "a person of suitable age and discretion")
Public records requests generally require few, if any, formalities. Often, an anonymous oral request is sufficient.
Under the Family and Education Rights and Privacy Act of 1974, also known as FERPA or the Buckley Amendment, student "education records" may, in general, be disclosed only with the relevant student's consent. The term "education records" includes virtually all records that are maintained by an educational institution and that contain personally identifiable information about a student; it is not limited to records that are "academic" in nature. Thus, photographs, disciplinary records, e‑mail messages and traffic logs, card access records, SSN and ID numbers, attendance records, and almost anything else you can think of fall within the definition.
One of a number of exceptions to FERPA's consent requirement allows the disclosure of education records "to comply with a judicial order or lawfully issued subpoena". In most circumstances, the institution must make "a reasonable effort" to notify the relevant student in advance of compliance, so that the student may, if desired, seek protective action. However, the institution need not -- and may not -- give such notice in the case of a federal grand jury or other subpoena "issued for a law enforcement purpose" if the court or agency that issued the subpoena "has ordered that the existence or the contents of the subpoena or the information furnished in response to the subpoena not be disclosed".
A judicial order or subpoena is "lawfully" issued and enforceable only if the issuing court or agency has jurisdiction over the recipient and all required formalities have been followed (see above).
The Electronic Communications Privacy Act established a complex set of protocols for law enforcement access to records of or concerning electronic communications, including e-mail, web traffic, and other forms of Internet communication. While those protocols are too complex to describe here in full, in general they provide greater protections for, and require more formal process to access, real-time communications than stored communications, unretrieved communications than retrieved ones, and contents than subscriber or transaction ("envelope") records. A very basic "summary" of those protocols (from the 267-page Department of Justice Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations) is attached at the end of this document.
5. Personnel Records
In many states, the disclosure of personnel records also is regulated by statute. While such statutes generally do not protect such records from disclosure in response to an appropriate compulsory legal request, they may impose notice or other procedural requirements similar to those specified by FERPA.
6. Medical Records
Under HIPAA, the ADA, and various other federal and state statutes, medical and medical-related records generally cannot be disclosed freely. In most cases, such records may be disclosed only with the relevant individual's consent or with a specific court order.
7. Privileged Records
Certain limited classes of records are considered to be "privileged" from disclosure even in response to law enforcement requests. For example, the attorney-client privilege, the most likely such privilege to arise on campus, protects records of communications between an attorney and his or her client in connection with the seeking or rendering of legal advice. Similar privileges protect patient-physician and spousal communications, among others.
8. Protected Research
Some types of research data are also protected from disclosure, even in response to law enforcement requests. For example, certificates of confidentiality may be awarded by governmental agencies to protect sensitive data from compelled disclosure and commit institutions to defend certificates of confidentiality from legal challenges. Similar protections may apply to work contracted by the Department of Defense or through contractual agreements.
When a formal request has been made for records, those records generally cannot be altered or destroyed ("spoliated" in legal parlance) while the request is pending, even pursuant to a records retention schedule. Institutions should consider developing a protocol for implementing a "destruction hold" upon receipt of such requests, to prevent inadvertent -- but still problematic -- spoliation.
- Article in March/April 2007 EDUCAUSE Review: "Responding to Compulsory Legal Requests for Information" by Andrea Nixon
- Berkeley PATRIOT ACT Records Working Group
- Cal State Subpoena Handbook
- Cal State Subpoena Training
- CDT Current Legal Standards For Access to Papers, Records, and Communications: What Information Can the Government Get About You, and How Can They Get It?
- CDT Privacy Rules for Access to Personal Data
- CDT Privacy Rules for Access to Personal Data: Commercial Access and Use Chart
- CDT Privacy Rules for Access to Personal Data: Government Access and Use Chart
- Cornell University Flow Chart for Law Enforcement Requests
- Department of Justice Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
- George Mason Subpoena Guidelines Handbook
- George Washington University Guidelines on Services of Subpoenas
- Louisiana State University Law Center's Background Information on Certificates of Confidentiality
- National Institutes of Health Certificates of Confidentiality Kiosk
- Quick Reference Guide (Excerpt from DOJ Search and Seizure Manual)
- SANS Institute Security Course 508: Systems Forensics, Investigation, & Response
- Stetson Handling Subpoenas and Service Process
- U.S. Department of Health and Human Services Description of Certificates of Confidentiality
- University of California PATRIOT ACT Records Working Group
- University of Kansas Procedures for Investigative Contact by Law Enforcement
- University of Massachusetts Procedures for Responding to Notifications of Copyright Violation or Requests for the Content of Electronic Communication, Any Information About Users of the University of Massachusetts Systems/Networks, or Traffic on the University of Massachusetts Network
- Washington and Lee Protocol on Receipt of Official Legal Documents, Site Visits, and Other Contacts from Investigatory or Regulatory Authorities and Attorneys
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.