UNIVERSITY OF ARIZONA
ELECTRONIC MAIL POLICY
March 1, 1998
TABLE OF CONTENTS
A. This Policy clarifies the applicability of law and of other University policies to electronic mail (e-mail), and also sets forth new policies uniquely applicable to e-mail.
B. The University recognizes that principles of academic freedom, freedom of speech, privacy and confidentiality hold important implications for e-mail and e-mail services. This Policy addresses these principles within the context of and subject to the limitations imposed by the University's legal and policy obligations.
1. E-mail will be used by the University community in an ethical and considerate manner in compliance with applicable law and policies, including policies established by the University and its operating units, and with respect for the public trust through which these facilities have been provided;
2. E-mail users are informed about how concepts of privacy and security apply to e-mail, as well as the applicability of relevant policy and law; and
3. Disruptions to University e-mail and other services and activities are minimized.
A. All policies applied generally at the University are expressly applicable to the electronic environment. Relevant institutional policies include, but are not limited to:
1. Arizona Board of Regents Policy Manual
2. Appointed Personnel Handbook
3. Staff Personnel Policy Manual
4. All Codes of Conduct and Academic Integrity
5. Confidentiality of Student Records
6. Sexual Harassment Policy
7. Outside Professional Activity
10. Use of University name or Trademarks
B. This is not a comprehensive list of applicable University policies. Any policy which applies to the use of University resources, including equipment and time, also applies to e-mail. In the event of a conflict between policies, the more restrictive use policy shall govern.
A. This Policy applies to:
1. All e-mail services provided, owned, or funded in part or in whole by the University;
2. All users and holders of University e-mail systems or accounts, regardless of intended use; and
3. All University e-mail Official Records and/or Public Records in the possession of or generated by University employees and other users of e-mail services provided by the University, regardless whether the records were generated on University or non-University computers.
B. This Policy does not apply to:
1. Internet services other than e-mail;
2. Voice Mail;
3. Audio and Video Conferencing; and
4. Facsimile messages.
C. This Policy does not apply to printed copies of e-mail, but other law and policy may apply to such documents. Under Arizona records law and other state laws, information appearing in this format may need to be retained as Official Records or treated as State Publications under A.R.S. § 35-103. If the user prints out e-mail Official Records (including transmission and receipt data) and retains them in hard copy according to approved University records management policies and retention schedules, the electronic copy may be deleted immediately. (See Department Administration Common Retention Schedule for related definitions and state mandated guidelines on the storage and disposal of e-mail records or contact the University's Records Management and Archives Department for instructions.)
D. This Policy applies equally to transmission and receipt data including e-mail headers, summaries, and addresses associated with e-mail records and attached files or text.
A. Provision of Service. E-mail services may be provided by University organizational units in support of the University's threefold mission of instruction, research, and public service.
B. University Property. E-mail services are extended for the sole use of University faculty, staff, students and other appropriately authorized users to accomplish tasks related to and consistent with the University's mission. University e-mail systems and services are University facilities, resources and property as those terms are used in University policies and applicable law. Any e-mail address or account assigned by the University to individuals, sub-units, or functions of the University, is the property of the University.
C. Authorized Service Restrictions.
1. E-mail users are required to comply with state and federal law, University policies, and normal standards of professional and personal courtesy and conduct. Access to University e-mail services is a privilege that may be wholly or partially restricted by the University without prior notice and without the consent of the e-mail user: a) when required by and consistent with applicable law or policy; b) when there is a reasonable suspicion that violations of policy or law have occurred or may occur; or c) when required to meet time-dependent, critical operational needs. Such access restrictions are subject to the approval of the appropriate University supervisory or management authority (e.g., department heads, systems managers, etc.). The autonomous operational units of the University should establish or identify these authority levels.
2. University operational units may define additional "Conditions of Appropriate Use" for local computing and network facilities to supplement this Policy with additional detail, guidelines or restrictions. Such Conditions must be consistent with and subordinate to this Policy, and are intended to deal primarily with situations of limited resource supply.
3. When an individual's affiliation with the University ends, the University may attempt to redirect e-mail for a reasonable period of time as determined by the University for purposes consistent with this Policy and the University's mission. The University may elect to terminate the individual's e-mail account or continue the account, subject to approval by appropriate University supervisory and systems operational authority.
D. Authorized Access and Disclosure.
1. The University may permit the inspection, monitoring, or disclosure of e-mail when:
a. Required by or consistent with applicable law or policy such as Arizona Public Records law (A.R.S. § 39-121, regarding inspection of public records); the Family Educational Rights and Privacy Act (regarding access to student records); or any appropriately issued subpoena or court order. The Electronic Communications Privacy Act of 1986 also permits messages stored on University systems to be accessed by authorized personnel in certain circumstances;
b. There is a reasonable suspicion that violations of law or University policy have occurred or may occur; or
c. There are time-dependent, critical operational needs of University business if the University determines that the information sought is not more readily available by other means.
2. In such instances, the University will, as a courtesy, normally try to inform e-mail users prior to any inspection, monitoring, or disclosure of e-mail records, except when such notification would be detrimental to an investigation of possible violation of law or University policy. Users are required to comply with University requests for access to and copies of e-mail records when access or disclosure is required or allowed by applicable law or policy, regardless whether such records reside on a computer housed or owned by the University. Failure to comply with such requests can lead to disciplinary or other legal action pursuant to applicable law or policy, including but not limited to appropriate University personnel policies or Codes of Conduct.
E. Indemnification of the University.
Users agree by virtue of access to the University's computing and e-mail systems, to indemnify, defend and hold harmless the University for any suits, claims, losses, expenses or damages, including but not limited to litigation costs and attorney's fees, arising from or related to the user's access to or use of University e-mail and computing systems, services and facilities.
A. Using e-mail for illegal activities is strictly prohibited. Illegal use may include, but is not limited to: obscenity; child pornography; threats; harassment; theft; attempting unauthorized access to data or attempting to breach any security measures on any electronic communications system; attempting to intercept any electronic communication transmissions without proper authority; and violation of copyright, trademark or defamation law.
B. Failure to follow state law with regard to the disposition of e-mail records may lead to criminal charges. Theft or unauthorized destruction, mutilation, defacement, alteration, falsification, removal or secretion of e-mail records may lead to class 4 or class 6 felony charges under A.R.S. § 38-421.
C. In addition to illegal activities, the following e-mail practices are expressly prohibited: entry, examination, use, transfer, and tampering with the accounts and files of others, unless appropriately authorized pursuant to this policy; altering e-mail system software or hardware configurations; or interfering with the work of others or with University or other computing facilities.
D. If a user has been requested by another user via e-mail or in writing to refrain from sending e-mail messages, the recipient is prohibited from sending that user any further e-mail messages until such time as he/she has been notified by the system administrator that such correspondence is permissible. Failure to honor such a request shall be deemed a violation of this Policy.
E. University e-mail services may not be used for: commercial activities not approved by appropriate supervisory University personnel consistent with applicable policy; personal financial gain (except as permitted under applicable academic policies); personal use inconsistent with Section VI of this policy; uses that violate other University policies or guidelines; or uses inconsistent with applicable state or federal law. Applicable University policies include, but are not limited to, policies and guidelines regarding personnel, intellectual property, or regarding sexual or other forms of harassment.
F. E-mail users shall not give the impression that they are representing, giving opinions, or otherwise making statements of behalf of the University or any unit of the University unless expressly authorized to do so. Where appropriate, the following explicit disclaimer shall be included: "The opinions or statements expressed herein are my own and should not be taken as a position, opinion, or endorsement of the University of Arizona."
G. University e-mail services shall not be used for purposes that could reasonably be expected to cause, directly, or indirectly, strain on any computing facilities, or interference with others' use of e-mail or e-mail systems. Such uses include, but are not limited to, the use of e-mail services to:
1. Send or forward chain letters.
2. "Spam", that is, to exploit listservs or similar systems for the widespread distribution of unsolicited mail.
3. "Letter-bomb", that is, to resend the same e-mail repeatedly to one or more recipients.
University e-mail services may be used for incidental personal purposes provided that such use does not:
A. Directly or indirectly interfere with the University operation of computing facilities or e-mail services.
B. Interfere with the e-mail user's employment or other obligations to the University.
C. Violate this Policy, or any other applicable policy or law, including but not limited to use for personal gain, conflict of interest, harassment, defamation, copyright violation or illegal activities.
D. E-mail messages arising from such personal use shall, however, be subject to access consistent with this policy or applicable law. Accordingly, such use does not carry with it a reasonable expectation of privacy.
A. The confidentiality of e-mail cannot be assured, and any confidentiality may be compromised by access consistent with applicable law or policy, including this Policy, by unintended redistribution, or due to current technologies inadequate to protect against unauthorized access. Users, therefore, should exercise extreme caution in using e-mail to communicate confidential or sensitive matters, and should not assume that their e-mail is private or confidential.
B. Users may not access, use, or disclose personal or confidential information without appropriate authorization, and must take necessary precautions to protect confidentiality of personal or confidential information, regardless whether the information is maintained on paper or whether it is found in e-mail or other electronic records.
C. The Office of the Registrar may elect to publish student e-mail addresses as directory information, consistent with the requirements of the Family Educational Rights and Privacy Act (FERPA). Individual students may, consistent with University policy and FERPA, request the University not to treat the address as directory information. Requests for identification or release of students e-mail addresses should be directed to the Office of the Registrar.
A. E-mail users and operators must follow sound professional practices in providing for the security of e-mail records, data, applications programs, and systems programs under their jurisdiction.
B. Users and operators must guard against storage media deterioration and e-mail record inaccessibility due to hardware or software obsolescence. To eliminate these situations, users must make provision for future accessibility by:
1. Migrating all official e-mail records to the next generation of hardware or software; or
2. Migrating only current official e-mail records to new hardware or software, or converting official e-mail records not migrated to other media (e.g., optical disk, COM) for short term storage or to "eye readable form" (i.e., paper or microfilm) for long term storage and preservation. (See Department Administration Common Retention Schedule for state mandated guidelines on the storage and disposal of e-mail records or contact the University's Records Management and Archives Department for instructions.)
C. Users are responsible for safeguarding their identification (ID) codes and passwords, and for using them only as authorized. Each user is responsible for all e-mail transactions made under the authorization of his or her ID, and for all network e-mail activity originating from his or her data jack. Use of e-mail user identifications for commercial purposes is prohibited. Access to user identifications may not be loaned or sold.
D. Each operational unit should establish:
1. Standards for official e-mail records identification and file organization.
2. Measures for protecting sensitive official e-mail stored electronically.
3. Procedures for file back-up.
Suspected or known violations of policy or law should be confidentially reported to the appropriate supervisory level for the operational unit in which the violation occurs. Violations will be processed by the appropriate University authorities and/or law enforcement agencies. Violations may result in revocation of e-mail service privileges; academic dishonesty or Code of Conduct proceedings; faculty, staff or student disciplinary action up to and including dismissal; referral to law enforcement agencies; or other legal action.
Users of this Policy are encouraged to refer to on-line versions of this and other University policies when available on the University's home page on the World Wide Web.
GENERAL USE CAUTIONS
Users should be aware of the following:
A. Both the nature of e-mail and the public character of the University's business make e-mail less private than users may anticipate. For example, e-mail intended for one person sometimes may be widely distributed because of the ease with which recipients can forward it to others. A reply to an e-mail message posted on an electronic bulletin board or "listserver" intended only for the originator of the message may be distributed to all subscribers to the listserv. Furthermore, even after a user deletes an e-mail record from a computer or e-mail account it may persist in whole or in part in system logs, in the directories of the person who received the message, or on system back-up tapes which may be retained for long periods of time. All these items may be subject to disclosure under applicable law and this Policy. The University cannot routinely protect users against such eventualities.
B. E-mail, regardless whether created, received, or stored on University equipment, may constitute an "Official Record" (as defined by A.R.S. § 41-1350); may be a "Public Record" subject to disclosure under the Arizona Public Records Law (A.R.S. § 39-121); or may also be subject to disclosure or access under other laws or as a result of litigation. See Department Administration Common Retention Schedule for state mandated guidelines on the storage and disposal of e-mail records or contact the University's Records Management and Archives Department for instructions.
C. The University does not automatically comply with all requests for disclosure, but attempts to evaluate such requests against the precise provisions of the Public Records Law or other applicable law concerning disclosure and privacy.
D. The University, in general, cannot and does not wish to be the arbiter of the contents of e-mail. Neither can the University, in general, protect users from receiving e-mail they may find offensive. Members of the University community, however, are strongly urged to use the same personal and professional courtesies and considerations in e-mail as they would in other forms of communication, and particularly those applicable to written communications since e-mail creates a tangible record of that communication.
E. There is no guarantee, unless "authenticated" mail systems are in use, that e-mail received was in fact sent by the purported sender, since it is relatively easy, although a violation of this Policy, for senders to disguise their identity. Furthermore, e-mail that is forwarded may also be modified. Authentication technology is not widely and systematically in use at the University as of the date of this Policy. As with print documents, in case of doubt, receivers of e-mail messages should check with the purported sender to validate authorship or authenticity.
F. Encryption of e-mail is another emerging technology that is not in widespread use as of the date of this Policy. This technology permits the encoding of e-mail so that for all practical purposes it cannot be read by anyone who does not possess the right key. Because of Federal regulations (36 CFR 1234) and State of Arizona directives for the maintenance of e-mail public records, encryption should not be used for storage of University e-mail.
G. Inappropriate e-mail use may expose the University and individual users to claims for damages through copyright infringement, libel, breach of privacy or other personal or proprietary rights.
H. Federal law and University policies regarding copyright and intellectual property apply to e-mail. Do not violate the copyright of others. Unless the material is legally established as being in the public domain or unless there is explicit release by the copyright owner, you may not copy e-mail information. Under ABOR rules or copyright law, you may or may not have copyright in e-mail material which you create. Check with the appropriate authority before assuming that you have copyright in such material.
I. Even though an e-mail sender and recipient have deleted their e-mail, back-up copies may exist for periods of time and in locations unknown to the originator or recipient. These copies may be accessed or disclosed consistent with applicable policy or law.
MODEL INFORMATIONAL HANDOUT
REGARDING UNIVERSITY E-MAIL POLICY
Date: Todays Date
TO: All staff
FR: Your Name
RE: What You Need to Know About the University's New E-Mail Policy
The University has released a document to clarify the applicability of law and of other University policies to electronic mail (e-mail). Its title is: University of Arizona Electronic Mail Policy. A committee, composed of members of the Faculty Senate and different college and administrative units, prepared the policy. Shown below is a simplified and abbreviated version of the overall policy which identifies the basic information of which e-mail users should be aware. The full text of the policy is available through the University's Records Management and Archives Department Home Page (go to the University's Home Page and click on "Administration" and then click on "Records Management") and through links from the online Faculty and Staff handbooks. Hard copy versions of the full policy text can be obtained from the Human Resources Department.
WHAT YOU NEED TO DO (Storage of E-mail Documents)
Remember that in accordance with Arizona law, University business documents created or received on e-mail must be saved for the same length of time as their hard copy equivalents. There are two ways to comply with this:
WHAT YOU NEED TO KNOW (Overview of university of Arizona e-mail policies)
The following are points from the University's Electronic Mail Policy. Each point is referenced for your convenience (by italics) to its corresponding section in the policy document.
Provision of Service.
Authorized Service Restrictions
Authorized Access and Disclosure
Security and Preservation
General Use Cautions
YOU MAY NOT: