Electronic Mail Guidelines

Electronic Mail Guidelines

(Doc. T97-010)

The University works in a large, complex information technology environment requiring communication related to both confidential and public data. New technologies offer the University methods to make this communication easier between students, staff, departments, campuses, colleges, and the world. The University has several types of electronic mail systems on its various computer systems enabling its students and employees to take advantage of these technologies. However, with this open communication network, vulnerabilities to the privacy of electronic messages possibly containing confidential or proprietary material arise. University electronic mail users need to be aware of the vulnerabilities in electronic mail communication and of the legal responsibilities that accompany the use of this medium.

I. Purpose

These Guidelines are issued pursuant to the Board of Trustees' Policy Statement on Electronic Data Security, Electronic Mail and Computer Policy Development (Doc. T97-010, adopted February 5, 1997) and:

  • Define who may use the electronic mail systems controlled and administered by the University of Massachusetts (the University);
  • Outline responsibilities related to electronic mail maintenance and use;
  • Provide guidelines for the security and confidentiality of University electronic mail; and
  • Provide methods for monitoring and enforcing these Guidelines.

II. Scope

Campus procedures relating to electronic mail shall apply to all:

  • Electronic mail (e-mail) created within, sent to, maintained within, or administered by the electronic mail systems of the University of Massachusetts;
  • University e-mail users;
  • Electronic mail as defined in the Definitions Addendum to these Guidelines.

III. Responsibilities

The President, together with the Chancellors, shall define what categories of individuals (e.g., full time, part-time, staff, students, economic partners, other educational institutions, general public, etc.) may access University electronic mail systems.

The Chancellors, or their designees, will determine:

  • Which University department(s) shall be responsible for administering electronic mail systems and security;
  • Procedures for electronic mail monitoring related to Section V, Items D and E of these Guidelines.

Campus procedures relating to electronic mail will require that electronic mail administrators are responsible for:

  • Determining what categories of individuals, within the guidelines set by the President and Chancellors, may access the mail system under their control;
  • Ensuring that a security plan for the e-mail system for which they are responsible, has been developed, implemented and is maintained. The security plan should include an analysis of whether message encryption is needed;
  • Ensuring that a backup plan to allow for message/system recovery in the event of a disaster has been developed, tested and implemented;
  • Ensuring that deleted and expired mail is not backed up for more than 30 days. After 30 days deleted and expired messages will be irretrievable because of resource utilization concerns. This standard applies to deleted mail only. It does not apply to mail in users mailbox or electronic mail file folders;
  • Periodically assessing the level of risk within the mail system;
  • Providing information regarding electronic mail vulnerabilities to e-mail users so that they may make informed decisions regarding how to use the system;
  • Ensuring that all electronic mail IDs for individuals with e-mail accounts on University systems have been deleted when: an authorized user has terminated employment, graduated or withdrawn from the University, and when a "courtesy account" is inactive or no longer needed;
  • Ensuring that e-mail message retention standards, as outlined in these and other University policies/guidelines, have been developed and are implemented for their electronic mail system.

Campus procedures relating to electronic mail will require that employees responsible for maintaining, repairing and developing e-mail resources exercise special care and access e-mail messages only as required to perform their job function. These employees will not discuss or divulge the contents of individual e-mail messages viewed during maintenance and trouble-shooting.

Campus procedures relating to electronic mail will require that University E-mail Users:

  • Use e-mail in a responsible manner consistent with other business communications (e.g., phone, correspondence);
  • Safeguard the integrity and confidentiality of University electronic mail;
  • Only use mail IDs assigned to them;
  • Remove mail from their mailbox consistent with University, campus, departmental or electronic mail administrator message retention procedures and these Guidelines.

Campus procedures relating to electronic mail will require that University e-mail users NOT:

  • Post materials that violate existing laws or University policies/codes of conduct. For example, materials that are of a fraudulent, defamatory, harassing, or threatening nature;
  • Use their e-mail access to unlawfully solicit or exchange copies of copyrighted software.

IV. Electronic Mail Use Guidelines

Campus procedures relating to electronic mail will require that:

  • Individuals are prohibited from using an electronic mail account assigned to another individual to either send or receive messages. If it is necessary to read another individual's mail (e.g., while they are on vacation, on leave, etc.), surrogacy or message forwarding should be utilized.
  • The University makes e-mail facilities available to both students and staff. University E-Mail Users are encouraged to use these communications resources to share knowledge and information in furtherance of the University's missions of instruction, research, and public service. Students are free to use e-mail for personal use. E-mail is made available to employees for the purpose of conducting University-related business, but occasional social/personal use is allowed providing it does not interfere with an employee’s job function.
  • Individuals with e-mail IDs on University computer systems are prohibited from sending messages which violate state or federal law, or University policy. Additionally, the University has special concern for incidents in which individuals are subject to harassment or threat because of membership in a particular racial, religious, gender or sexual orientation group.
  • Authorized users will not "rebroadcast" information obtained from another individual that the individual reasonably expects to be confidential.
  • Bulletin Boards used for soliciting or exchanging copies of copyrighted software are not permitted on University electronic mail systems.
  • Authorized users are prohibited from sending, posting or, publicly displaying or printing unsolicited mail or materials that are of a fraudulent, defamatory, harassing, abusive, obscene or threatening nature on any University system. The sending of such messages/materials will be handled according to University codes of conduct, policies and procedures.
  • The University can not control the content of electronic mail. If an individual receives electronic mail that they consider harassing, threatening or offensive, they should contact the appropriate University Office for assistance.

V. Electronic Mail Information

Campus procedures relating to electronic mail will require that e-mail users are aware and understand that:

  • The University considers a personal e-mail message to be private correspondence within the limits set forth in this section, but due to the nature of the electronic medium the University cannot guarantee the privacy or security of such correspondence and e-mail users are cautioned that such messages might become available to others.
  • The University considers electronic mail messages (other than such correspondence which might constitute public records) to be the property of the sender and receiver. However, since the messages are stored on University computer systems, the University has responsibility for the administration of the electronic mail systems.
  • The University will not routinely monitor the content of electronic documents or messages, however, the privacy of documents and messages stored in electronic media cannot be guaranteed. Electronic documents and messages may be readable to maintenance, security and troubleshooting staff while performing their job functions. Such access will occur only when a problem in the software or network arises. Additionally electronic mail may pass out of one computer environment, across a network, and into another totally different computer environment even within the University system. This transport becomes increasingly complicated as mail travels between departments, campuses, universities, states, or nations. The level of security over a message is affected each time the computer hardware, software and environment changes. Untraceable leaks may occur.
  • If there is a University investigation for alleged misconduct, the Chancellor or their designee may authorize that electronic mail or files may be locked or copied to prevent destruction and loss of information.
  • The University may monitor the content of electronic documents and messages, or access e-mail backups or archives as a result of legal discovery, writ, warrant, subpoena, or when there is a threat to the computer system's integrity or security as determined by the system administrator.
  • The confidentiality of the contents of e-mail messages that include certain types of information (e.g., student related, medical, personal) may be protected by the Family Educational Rights and Privacy Act of 1974 (as amended), the Electronic Communications Privacy Act of 1986, or other state or federal law. Additionally the contents of e-mail messages may be classified as public by the Massachusetts Fair Information Practices Act (M.G.L. c66A) and/or the Massachusetts Public Records Act (M.G.L. c66), section 10.
  • The authenticity of an e-mail message cannot be assured due to the state of present e-mail technology. This means that the authorship or source of an e-mail message may not be as indicated in the message.

VI. Compliance And Enforcement

Campus procedures regarding electronic mail will require that any individual found breaching the confidentiality of e-mail messages, disclosing confidential University data by using e-mail, or otherwise violating these Guidelines, may be denied or given limited (i.e., to allow for the performance of required academic or employment related tasks) access to the e-mail and/or University computer systems, and shall be subject to reprimand, suspension, dismissal, or other disciplinary action.