Main Nav

How does your institution define “university business” if you use that language in your email policy?  Our current policy reads as such:
 
Expectations of Use:
3.  Only the university provided e-mail account is to be used when conducting university business over e-mail.
  1. Students will be provided an e-mail account as part of their enrollment. Student e-mail services may be outsourced.
  2. Faculty, staff and student workers must request, in accordance with the Access to Information Technology Resources and Systems policy, a university managed e-mail account if they will be using e-mail for communication as part of their employment.
  3. Vendors providing operational support services under contract to the university must use an approved account when communicating with the university through e-mail.
We had a faculty member recently challenge this.  See their comments below.
 
When I read the email policy, a serious question came up where it states that “only the university provided e-mail account is to be used when conducting university business over e-mail."
 
My concern is that "university business" is not defined. While it may be obvious in most cases, there are some gray areas such as those regarding faculty and areas of scholarship (publications). Also, if a faculty member needs to be contacted off hours or when access to a university provided email might not be practical or timely, a personal email address might often be used. In summary, a faculty member is a contract employee whose duties are somewhat defined and expected, but may have related responsibilities that are not university business per se, but might involve the university or other university employees.
 
Thanks.
 
Bob Smith
AVP IITS & Information Security Officer
Longwood University
Farmville, VA 23909
 
 
********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Comments

We don't require anyone to use our e-mail system.  All our policy says is that you cannot do anything naughty - like send spam.

I would question the clause "when access to a university provided email might not be practical or timely".  When is access to university-provided e-mail any less practical or timely than any other e-mail?

Kevin

On 4/23/2012 10:52 AM, Smith, Bob wrote:
How does your institution define “university business” if you use that language in your email policy?  Our current policy reads as such:
 
Expectations of Use:
3.  Only the university provided e-mail account is to be used when conducting university business over e-mail.
  1. Students will be provided an e-mail account as part of their enrollment. Student e-mail services may be outsourced.
  2. Faculty, staff and student workers must request, in accordance with the Access to Information Technology Resources and Systems policy, a university managed e-mail account if they will be using e-mail for communication as part of their employment.
  3. Vendors providing operational support services under contract to the university must use an approved account when communicating with the university through e-mail.
We had a faculty member recently challenge this.  See their comments below.
 
When I read the email policy, a serious question came up where it states that “only the university provided e-mail account is to be used when conducting university business over e-mail."
 
My concern is that "university business" is not defined. While it may be obvious in most cases, there are some gray areas such as those regarding faculty and areas of scholarship (publications). Also, if a faculty member needs to be contacted off hours or when access to a university provided email might not be practical or timely, a personal email address might often be used. In summary, a faculty member is a contract employee whose duties are somewhat defined and expected, but may have related responsibilities that are not university business per se, but might involve the university or other university employees.
 
Thanks.
 
Bob Smith
AVP IITS & Information Security Officer
Longwood University
Farmville, VA 23909
 
 
********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

We base our use of university email versus outsourced email on the type of information involved. Information subject to breach law, such as HIPAA, means that the affiliate (including students) must have a university managed email account and when transmitting any such information over public networks, the information must be encrypted.

 

I do understand the faculty member’s concern – I was in such a position when I was in law school, but maintained an adjunct faculty appointment to work on a few research papers that I wanted to finish up. Since the university would be listed as my affiliation on the paper, I provided the university email address. For some of the other work that I was doing during that time, not paid for or related to my studies, I used my personal email to ensure that the university was not getting involved.

 

I am not sure how this is handled at other universities, but we are required to complete a secondary employment form, if we pursue work outside of our university employment, I would think that any business associated with the secondary employment would not be university business since the initial analysis during the approval process would sort out a potential conflict of interest.

 

Princeton University IT policy includes the following passage: 

Outside e-mail

Faculty and staff who have e-mail accounts with services outside the University are encouraged to use only their University-managed e-mail accounts for communications regarding University matters to better protect the privacy and security of University data.  Moreover, use of University-managed e-mail accounts will facilitate responses to subpoenas and other situations that may require the retrieval, inspection or production of documents including e-mail.


Rita Saltz
Office of Information Technology (OIT)
Princeton University

Begin forwarded message:

From: "Smith, Bob" <smithrj@LONGWOOD.EDU>
Date: April 23, 2012 11:52:20 AM EDT
Subject: [POLICY-DISCUSSION] email policy and defining university business
Reply-To: EDUCAUSE Policy Discussion Listserv <POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU>

How does your institution define “university business” if you use that language in your email policy?  Our current policy reads as such:
 
Expectations of Use:
3.  Only the university provided e-mail account is to be used when conducting university business over e-mail.
  1. Students will be provided an e-mail account as part of their enrollment. Student e-mail services may be outsourced.
  2. Faculty, staff and student workers must request, in accordance with the Access to Information Technology Resources and Systems policy, a university managed e-mail account if they will be using e-mail for communication as part of their employment.
  3. Vendors providing operational support services under contract to the university must use an approved account when communicating with the university through e-mail.
We had a faculty member recently challenge this.  See their comments below.
 
When I read the email policy, a serious question came up where it states that “only the university provided e-mail account is to be used when conducting university business over e-mail."
 
My concern is that "university business" is not defined. While it may be obvious in most cases, there are some gray areas such as those regarding faculty and areas of scholarship (publications). Also, if a faculty member needs to be contacted off hours or when access to a university provided email might not be practical or timely, a personal email address might often be used. In summary, a faculty member is a contract employee whose duties are somewhat defined and expected, but may have related responsibilities that are not university business per se, but might involve the university or other university employees.
 
Thanks.
 
Bob Smith
AVP IITS & Information Security Officer
Longwood University
Farmville, VA 23909
 
 
********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.


********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Message from mccaugheym@appstate.edu

My main question, though, is _why_ employees would be required to use the university-provided email for all university business? What prompted such a policy, what problem are they bring to avoid, and who was involved with creating this policy--faculty and staff? I can think of several instances when using my university email was not practical. For instance, when the system was down for scheduled maintenance but my coauthor at another university, or a student with a yahoo email, was waiting for my response. In those cases, I emailed from home, using an ISP for which I pay and using an email account outside of my university's. I just found out that my email was about to go over quota, so instead of taking the time to go through my messages I simply forwarded my university email to my gmail account, which offers more storage space. That way I am not deleting willy nilly records that I am probably required to keep just to avoid going over quota. thanks- Martha Prof. Martha McCaughey Dept of Sociology Chapell Wilson 205 B Appalachian State University Boone, NC 28608 tel: 828-262-6391 My homepage: http://www.appstate.edu/~mccaugheym ********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.
As someone else already indicated, if there is a subpoena for a specific faculty member, being able to say that the relevant university email folder has been keyword searched is a lot better than finding out that the faculty member used at times gmail or yahoo - because then discovery will be delayed until third parties can comply with the subpoena. In addition, staff leaving the university or retiring - it is a lot easier to maintain business continuity when a vacation message can be set for a university email rather than figure that some clients will be emailing third party emails and never get a response or those emails end up in the trash folder. The third aspect is data security - is a university really comfortable having their sensitive information stored on third party servers and never find out about a breach that involved SSNs of student applicants?
Message from mccaugheym@appstate.edu

I think these are all very important things to consider. I asked about _why_ that rule is desired so that it might clarify what counts as university business, which someone asked to clarify. Perhaps it would be a good idea to clarify what types of business should not be sent or stored on third party data storage systems. When I got my university-issued iPad, it required my gmail account to get set up. There is a way that I can go onto my university email system through Safari, but the iPad is set up to use a gmail account. That is not my university email, obviously, but it is used over a university device! And so many professors work from home, from other campuses while away giving talks or participating at conferences, on mobile devices that may or may not have been privately purchased, and so on that the policy, it seems to me, needs to be more specific with a rationale given so that people can make sound professional judgments as new technologies emerge. Martha McCaughey
Very good, relevant points. All the more critical when a faculty is doing research under Special Grants or Federal Funds. Compliance and Ethical Standards also would mandate that all University and University related business be done under University email and per Process and Policy. Keeping Email Kosher is always a good plan. Anna Contracts and Compliance Manager USC-ITS 213-740-4140 ansuyac@usc.edu Lorenz, Eva wrote: > As someone else already indicated, if there is a subpoena for a specific faculty member, being able to say that the relevant university email folder has been keyword searched is a lot better than finding out that the faculty member used at times gmail or yahoo - because then discovery will be delayed until third parties can comply with the subpoena. > In addition, staff leaving the university or retiring - it is a lot easier to maintain business continuity when a vacation message can be set for a university email rather than figure that some clients will be emailing third party emails and never get a response or those emails end up in the trash folder. > The third aspect is data security - is a university really comfortable having their sensitive information stored on third party servers and never find out about a breach that involved SSNs of student applicants? > >
This content have been flagged for review. Our moderators will review this content as soon as possible.
Interesting and timely discussion..... We have college-owned iPads and Android devices around, and they go through our internal e-mail system.....I know the Androids *want* a Gmail address, but we still connect them to our internal Exchange e-mail service. This allows us to work towards the basic tenets that Ms. Lorenz identifies below.... This being said - we are in the process of pushing out student e-mail out to Google right now, which has prompted us to review and update *our* e-mail use policy as well.....I also found it interesting that the recent Educause survey only showed 7% of colleges/universities have pushed employee e-mail out to either Live/Google.....I would have thought the percentage would have been much higher - or, at least, that's what Microsoft/Google would have us believe....but, this suggests that there are a lot of colleges/universities out there that have weighed all these pros/cons, and have decided to keep e-mail inhouse.... Good discussion..... Michael Schalip Central New Mexico Community College Dir, ITS/Customer Support Services -----Original Message----- From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Prof. Martha McCaughey Sent: Monday, April 23, 2012 11:16 AM To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU Subject: [POLICY-DISCUSSION] email policy and defining university business I think these are all very important things to consider. I asked about _why_ that rule is desired so that it might clarify what counts as university business, which someone asked to clarify. Perhaps it would be a good idea to clarify what types of business should not be sent or stored on third party data storage systems. When I got my university-issued iPad, it required my gmail account to get set up. There is a way that I can go onto my university email system through Safari, but the iPad is set up to use a gmail account. That is not my university email, obviously, but it is used over a university device! And so many professors work from home, from other campuses while away giving talks or participating at conferences, on mobile devices that may or may not have been privately purchased, and so on that the policy, it seems to me, needs to be more specific with a rationale given so that people can make sound professional judgments as new technologies emerge. Martha McCaughey
The Citadel moved its student email out to Google some time ago. The main reason for not moving faculty and staff email at the time was Google's unwillingness to drop the indemnification clause from its terms and conditions. As an agency of the State of South Carolina, we cannot sign any contract that contains an indemnification clause. Microsoft appears to be more flexible and we are anticipating moving our faculty and staff email there. That said, any correspondence with students that is sent from or received by our Exchange server is captured by our archiving appliance. -----Original Message----- From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Monday, April 23, 2012 1:34 PM To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU Subject: Re: [POLICY-DISCUSSION] email policy and defining university business Interesting and timely discussion..... We have college-owned iPads and Android devices around, and they go through our internal e-mail system.....I know the Androids *want* a Gmail address, but we still connect them to our internal Exchange e-mail service. This allows us to work towards the basic tenets that Ms. Lorenz identifies below.... This being said - we are in the process of pushing out student e-mail out to Google right now, which has prompted us to review and update *our* e-mail use policy as well.....I also found it interesting that the recent Educause survey only showed 7% of colleges/universities have pushed employee e-mail out to either Live/Google.....I would have thought the percentage would have been much higher - or, at least, that's what Microsoft/Google would have us believe....but, this suggests that there are a lot of colleges/universities out there that have weighed all these pros/cons, and have decided to keep e-mail inhouse.... Good discussion..... Michael Schalip Central New Mexico Community College Dir, ITS/Customer Support Services -----Original Message----- From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Prof. Martha McCaughey Sent: Monday, April 23, 2012 11:16 AM To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU Subject: [POLICY-DISCUSSION] email policy and defining university business I think these are all very important things to consider. I asked about _why_ that rule is desired so that it might clarify what counts as university business, which someone asked to clarify. Perhaps it would be a good idea to clarify what types of business should not be sent or stored on third party data storage systems. When I got my university-issued iPad, it required my gmail account to get set up. There is a way that I can go onto my university email system through Safari, but the iPad is set up to use a gmail account. That is not my university email, obviously, but it is used over a university device! And so many professors work from home, from other campuses while away giving talks or participating at conferences, on mobile devices that may or may not have been privately purchased, and so on that the policy, it seems to me, needs to be more specific with a rationale given so that people can make sound professional judgments as new technologies emerge. Martha McCaughey
Well, y'know ... there are always times when professors may be engaged in controversial areas of research when you probably would prefer that they use their home e-mail for research-related communications. I believe the standard example is that of a professor who is doing research on pornography? Said professor may need or want to sign up for access to various pornographic websites or e-mail lists in order to gain access to the subject matter of his or her research. But I bet nobody here would object if that professor decided not to use his or her official University e-mail account for that purpose ... and the professor might not want to anyway if his or her e-mail records might be subject to FOIA requests prior to publication of the fruits of his or her research. Ruth Ginzberg, CISSP, CTPS Sr. I.T. Procurement Specialist University of Wisconsin System rginzberg@uwsa.edu 608-890-3961
This content have been flagged for review. Our moderators will review this content as soon as possible.
As the discussion expanded to faculty and staff -
We do not require that faculty and staff use their university provided email account.  However, we do have an overall appropriate use policy that has two relevant sections, given that the defined "Resources" in the policy includes email:

1)
Unrelated business - Resources may not be used in connection with compensated outside work, business unrelated to the University, or for the benefit of organizations not related to the University except in connection with scholarly pursuits (such as faculty publishing activities or work for professional societies) or other activities authorized by the President of the University. This and any other incidental use must not interfere with other users' access to Resources and must not be excessive. State law restricts the use of State facilities for personal gain or benefit.

and
2)
E-mail - By opening and using your e-mail account, Authorized Users agree and consent that the University may access the account for administrative and all other purposes permitted or required by law and/or the University's policies, procedures and ordinances, which may require the University or its e-mail provider (if applicable) to access and disclose to the University any information stored within the account. The University does not centrally retain or archive e-mail sent, processed or received by the University e-mail system. E-mail may be retained, stored or archived by external providers of e-mail services.




Very good points, but it again points back to "university business". Once the arrangements for the research have been completed (funding, contracts, scope of project, process, etc.) it may well be that the research step of obtaining/storing the data in question does not have to be done via university resources as it may not construed as "university business". And it would keep the research content outsourced, which I too am sure would please/relieve some people. :) John On 4/23/2012 2:03 PM, Ruth Ginzberg wrote: > Well, y'know ... there are always times when professors may be engaged in controversial areas of research when you probably would prefer that they use their home e-mail for research-related communications. > > I believe the standard example is that of a professor who is doing research on pornography? Said professor may need or want to sign up for access to various pornographic websites or e-mail lists in order to gain access to the subject matter of his or her research. > > But I bet nobody here would object if that professor decided not to use his or her official University e-mail account for that purpose ... and the professor might not want to anyway if his or her e-mail records might be subject to FOIA requests prior to publication of the fruits of his or her research. > > Ruth Ginzberg, CISSP, CTPS > Sr. I.T. Procurement Specialist > University of Wisconsin System > > rginzberg@uwsa.edu > 608-890-3961 > > >
All, conversations like this do my little "military/federal government agency background" heart good!!!! Amen to the idea that universities and colleges should be run like businesses and keeping track of data, especially record data is just as important when we have to produce it due to an inquiry or legal discovery request. Based on my experience, you can keep data (emails)as long or as short as you feel meets the needs of your customers. Just make sure you have a policy in place that you actually follow. If you have a policy that says you delete emails in 90 days, you better delete your emails in 90 days. If not, and it's discovered during a legal discovery or inquiry that you actually keep some longer than that, you'll be researching everything. Records are a different matter altogether and have to be kept according to record retention requirements. I'm not sure that which platform is used is a concern really. It matters what you do with the data. We moved our students to Live@edu a couple of years ago, and it has worked well for us. We have instituted a policy that we only considered the X.X@chattanoogastate.edu to be the official email address and thus the only one covered under our retention policies. We are just determining how we are going to address email and record retention data used on mobile platforms. Jackie Stephenson Director, Systems Development & Operations Computer Services jackie.stephenson@chattanoogastate.edu 423 697-3116
In general, I would prefer to handle these situations as exceptions since they can be controlled by the university. What cannot be controlled by the university is receiving a subpoena by a third party or a hacking attempt at a Google server. Most of the policies for us also have a statement in them "as technically feasible" that allows us to grant exceptions.
This is always a fascinating topic. As multiple people have said, among the strongest drivers behind wanting university community members to use university-assigned email accounts for university purposes has to do with the university's ability to comply with external requirements... or, as Zareh mentions, the legal, reputational, operational and simply $$$ impact when we fail to comply. I do think it's important to distinguish between using, say, a standard Gmail account that anyone can obtain under the standard Ts&Cs versus a Gmail account offered by a university that has a contract in place with Google. It's the former case that can be seriously problematic from a compliance viewpoint. Obtaining email records for e-discovery purposes is typically a higher burden and a less-sure thing when an external mail provider is involved. Transmitting FERPA, HIPAA, human subjects research data, credit card info or anything subject to export controls are just some of many other scenarios that can have major negative consequences. And even if you touch none of these types of data, for public institutions, state open records laws can have a far reach. Finally, just because you use a different email provider doesn't mean what you do for university purposes isn't subject to every requirement you would be subject to if you use the institution's own service (thus pointing to one definition of "university business", which would also span research and instruction, at least for faculty and staff). There are also good reasons beyond compliance for wanting to use the institution's own email service (or contractually provided service). For example, UCLA's (UC's) policies typically offer a much higher level of privacy protection than would be found with a standard, free commercial email account - because it is important for academic freedom and an ethical workplace. And I would argue that for precisely this reason, we would want our faculty who may be engaged in controversial areas of research to use our facilities: we can better protect them. In fact, the University of Wisconsin-Madison has led higher education in this respect (http://www.news.wisc.edu/19190/ - one of the most elegantly written descriptions of the importance of academic freedom I have seen). Not saying any of this is easy! And as always, as Martha says, probably the underlying key is always going to be awareness within the university community so that people can make informed decisions. -Kent -- Kent Wada Director, Strategic IT and Privacy Policy UCLA Office of Information Technology http://kent.bol.ucla.edu
I'm not sure this helps, and I'm not even sure we still use this language anywhere, but a few years ago when we were trying to describe to users in an online use agreement for a new service, how to tell the difference between "university business" and not, at one point we explained it thus: "• Do not use [this service] for departmental or institutional work that will remain relevant to IU should you depart the university." Of course that is still subject to interpretation and isn't black and white, but it did help some people understand what MATTERS to us, at least in that one instance, as one chooses whether it is "university business" or not... Best regards, Merri Beth Merri Beth Lavagnino, CIPP/US, CIPP/IT Chief Privacy Officer and Compliance Coordinator Public Safety and Institutional Assurance Indiana University https://protect.iu.edu/mbl *** Please note the attachment called PGP.sig is my electronic signature file. It is NOT a file you need to open. If you were using the PGP program, it would use that file to verify that this email actually came from me. ***
Something that hasn't come up in this discussion, and which happens to be part of Wayne State's policy, is a requirement that all communication between faculty and students be done through the Wayne email system, because it's the only guarantee that the person on each end of the line is who he/she says they are. If Suzy Student writes to you from her hotpants@gmail.com address (apparently an actual case before this policy was established) you, as a faculty member, have no idea who you're talking to. And vice versa, of course. Not only is this FERPA-related, it also just makes sense.

Geoff

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Professor, Linguistics Program
http://blogs.wayne.edu/proftech/
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

From: "Kent Wada" <kent@UCLA.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, April 25, 2012 2:12:25 PM
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

This is always a fascinating topic. As multiple people have said, among the strongest drivers behind wanting university community members to use university-assigned email accounts for university purposes has to do with the university's ability to comply with external requirements... or, as Zareh mentions, the legal, reputational, operational and simply $$$ impact when we fail to comply.

I do think it's important to distinguish between using, say, a standard Gmail account that anyone can obtain under the standard Ts&Cs versus a Gmail account offered by a university that has a contract in place with Google. It's the former case that can be seriously problematic from a compliance viewpoint. Obtaining email records for e-discovery purposes is typically a higher burden and a less-sure thing when an external mail provider is involved. Transmitting FERPA, HIPAA, human subjects research data, credit card info or anything subject to export controls are just some of many other scenarios that can have major negative consequences. And even if you touch none of these types of data, for public institutions, state open records laws can have a far reach. Finally, just because you use a different email provider doesn't mean what you do for university purposes isn't subject to every requirement you would be subject to if you use the institution's own service (thus pointing to one definition of "university business", which would also span research and instruction, at least for faculty and staff).

There are also good reasons beyond compliance for wanting to use the institution's own email service (or contractually provided service). For example, UCLA's (UC's) policies typically offer a much higher level of privacy protection than would be found with a standard, free commercial email account - because it is important for academic freedom and an ethical workplace. And I would argue that for precisely this reason, we would want our faculty who may be engaged in controversial areas of research to use our facilities: we can better protect them. In fact, the University of Wisconsin-Madison has led higher education in this respect (http://www.news.wisc.edu/19190/ - one of the most elegantly written descriptions of the importance of academic freedom I have seen).

Not saying any of this is easy! And as always, as Martha says, probably the underlying key is always going to be awareness within the university community so that people can make informed decisions.

-Kent


--
Kent Wada
Director, Strategic IT and Privacy Policy
UCLA Office of Information Technology
http://kent.bol.ucla.edu




Thanks for this insight……hadn’t even thought about this from an “identity” perspective.  This makes a huge amount of sense in the interest of protecting the students….

 

Michael

 

From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Geoff Nathan
Sent: Wednesday, April 25, 2012 1:09 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

 

Something that hasn't come up in this discussion, and which happens to be part of Wayne State's policy, is a requirement that all communication between faculty and students be done through the Wayne email system, because it's the only guarantee that the person on each end of the line is who he/she says they are. If Suzy Student writes to you from her hotpants@gmail.com address (apparently an actual case before this policy was established) you, as a faculty member, have no idea who you're talking to. And vice versa, of course. Not only is this FERPA-related, it also just makes sense.

 

Geoff

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Professor, Linguistics Program
http://blogs.wayne.edu/proftech/
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

From: "Kent Wada" <kent@UCLA.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, April 25, 2012 2:12:25 PM
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

This is always a fascinating topic. As multiple people have said, among the strongest drivers behind wanting university community members to use university-assigned email accounts for university purposes has to do with the university's ability to comply with external requirements... or, as Zareh mentions, the legal, reputational, operational and simply $$$ impact when we fail to comply.

I do think it's important to distinguish between using, say, a standard Gmail account that anyone can obtain under the standard Ts&Cs versus a Gmail account offered by a university that has a contract in place with Google. It's the former case that can be seriously problematic from a compliance viewpoint. Obtaining email records for e-discovery purposes is typically a higher burden and a less-sure thing when an external mail provider is involved. Transmitting FERPA, HIPAA, human subjects research data, credit card info or anything subject to export controls are just some of many other scenarios that can have major negative consequences. And even if you touch none of these types of data, for public institutions, state open records laws can have a far reach. Finally, just because you use a different email provider doesn't mean what you do for university purposes isn't subject to every requirement you would be subject to if you use the institution's own service (thus pointing to one definition of "university business", which would also span research and instruction, at least for faculty and staff).

There are also good reasons beyond compliance for wanting to use the institution's own email service (or contractually provided service). For example, UCLA's (UC's) policies typically offer a much higher level of privacy protection than would be found with a standard, free commercial email account - because it is important for academic freedom and an ethical workplace. And I would argue that for precisely this reason, we would want our faculty who may be engaged in controversial areas of research to use our facilities: we can better protect them. In fact, the University of Wisconsin-Madison has led higher education in this respect (http://www.news.wisc.edu/19190/ - one of the most elegantly written descriptions of the importance of academic freedom I have seen).

Not saying any of this is easy! And as always, as Martha says, probably the underlying key is always going to be awareness within the university community so that people can make informed decisions.

-Kent


--
Kent Wada
Director, Strategic IT and Privacy Policy
UCLA Office of Information Technology
http://kent.bol.ucla.edu




We have a similar requirement, both staff and students must maintain and list a university email in the directory. Some auto-forwarding is permitted, depending on affiliation status and sensitive information access – but the initial email will be to a standard university email (for (most) students that is outsourced MS)

 

-          Eva

From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Wednesday, April 25, 2012 3:24 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

 

Thanks for this insight……hadn’t even thought about this from an “identity” perspective.  This makes a huge amount of sense in the interest of protecting the students….

 

Michael

 

From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Geoff Nathan
Sent: Wednesday, April 25, 2012 1:09 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

 

Something that hasn't come up in this discussion, and which happens to be part of Wayne State's policy, is a requirement that all communication between faculty and students be done through the Wayne email system, because it's the only guarantee that the person on each end of the line is who he/she says they are. If Suzy Student writes to you from her hotpants@gmail.com address (apparently an actual case before this policy was established) you, as a faculty member, have no idea who you're talking to. And vice versa, of course. Not only is this FERPA-related, it also just makes sense.

 

Geoff

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Professor, Linguistics Program
http://blogs.wayne.edu/proftech/
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

From: "Kent Wada" <kent@UCLA.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, April 25, 2012 2:12:25 PM
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

This is always a fascinating topic. As multiple people have said, among the strongest drivers behind wanting university community members to use university-assigned email accounts for university purposes has to do with the university's ability to comply with external requirements... or, as Zareh mentions, the legal, reputational, operational and simply $$$ impact when we fail to comply.

I do think it's important to distinguish between using, say, a standard Gmail account that anyone can obtain under the standard Ts&Cs versus a Gmail account offered by a university that has a contract in place with Google. It's the former case that can be seriously problematic from a compliance viewpoint. Obtaining email records for e-discovery purposes is typically a higher burden and a less-sure thing when an external mail provider is involved. Transmitting FERPA, HIPAA, human subjects research data, credit card info or anything subject to export controls are just some of many other scenarios that can have major negative consequences. And even if you touch none of these types of data, for public institutions, state open records laws can have a far reach. Finally, just because you use a different email provider doesn't mean what you do for university purposes isn't subject to every requirement you would be subject to if you use the institution's own service (thus pointing to one definition of "university business", which would also span research and instruction, at least for faculty and staff).

There are also good reasons beyond compliance for wanting to use the institution's own email service (or contractually provided service). For example, UCLA's (UC's) policies typically offer a much higher level of privacy protection than would be found with a standard, free commercial email account - because it is important for academic freedom and an ethical workplace. And I would argue that for precisely this reason, we would want our faculty who may be engaged in controversial areas of research to use our facilities: we can better protect them. In fact, the University of Wisconsin-Madison has led higher education in this respect (http://www.news.wisc.edu/19190/ - one of the most elegantly written descriptions of the importance of academic freedom I have seen).

Not saying any of this is easy! And as always, as Martha says, probably the underlying key is always going to be awareness within the university community so that people can make informed decisions.

-Kent


--
Kent Wada
Director, Strategic IT and Privacy Policy
UCLA Office of Information Technology
http://kent.bol.ucla.edu




Insuring the identity of the sender would make sense except that Suzie.Schlepelheimer**@university.edu could be forged as easily as hotpants@gmail.com.  On the other hand, the real user of hotpants@gmail.com can send a message that is really from that address and claim any identity, while the real user of Suzie.Sch... can't send a message from that address without self-identifying.

** Google returns no matches for that name.  I'm sure that will change once this thread gets archived.

Bob Bayn          (435)797-2396            IT Security Team
       http://it.usu.edu/security/htm/dont-be-fooled
Office of Information Technology, Utah State University
From: EDUCAUSE Policy Discussion Listserv [POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] on behalf of SCHALIP, MICHAEL [mschalip@CNM.EDU]
Sent: Wednesday, April 25, 2012 1:24 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

Thanks for this insight……hadn’t even thought about this from an “identity” perspective.  This makes a huge amount of sense in the interest of protecting the students….

 

Michael

 

From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Geoff Nathan
Sent: Wednesday, April 25, 2012 1:09 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

 

Something that hasn't come up in this discussion, and which happens to be part of Wayne State's policy, is a requirement that all communication between faculty and students be done through the Wayne email system, because it's the only guarantee that the person on each end of the line is who he/she says they are. If Suzy Student writes to you from her hotpants@gmail.com address (apparently an actual case before this policy was established) you, as a faculty member, have no idea who you're talking to. And vice versa, of course. Not only is this FERPA-related, it also just makes sense.

 

Geoff

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Professor, Linguistics Program
http://blogs.wayne.edu/proftech/
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

From: "Kent Wada" <kent@UCLA.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, April 25, 2012 2:12:25 PM
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

This is always a fascinating topic. As multiple people have said, among the strongest drivers behind wanting university community members to use university-assigned email accounts for university purposes has to do with the university's ability to comply with external requirements... or, as Zareh mentions, the legal, reputational, operational and simply $$$ impact when we fail to comply.

I do think it's important to distinguish between using, say, a standard Gmail account that anyone can obtain under the standard Ts&Cs versus a Gmail account offered by a university that has a contract in place with Google. It's the former case that can be seriously problematic from a compliance viewpoint. Obtaining email records for e-discovery purposes is typically a higher burden and a less-sure thing when an external mail provider is involved. Transmitting FERPA, HIPAA, human subjects research data, credit card info or anything subject to export controls are just some of many other scenarios that can have major negative consequences. And even if you touch none of these types of data, for public institutions, state open records laws can have a far reach. Finally, just because you use a different email provider doesn't mean what you do for university purposes isn't subject to every requirement you would be subject to if you use the institution's own service (thus pointing to one definition of "university business", which would also span research and instruction, at least for faculty and staff).

There are also good reasons beyond compliance for wanting to use the institution's own email service (or contractually provided service). For example, UCLA's (UC's) policies typically offer a much higher level of privacy protection than would be found with a standard, free commercial email account - because it is important for academic freedom and an ethical workplace. And I would argue that for precisely this reason, we would want our faculty who may be engaged in controversial areas of research to use our facilities: we can better protect them. In fact, the University of Wisconsin-Madison has led higher education in this respect (http://www.news.wisc.edu/19190/ - one of the most elegantly written descriptions of the importance of academic freedom I have seen).

Not saying any of this is easy! And as always, as Martha says, probably the underlying key is always going to be awareness within the university community so that people can make informed decisions.

-Kent


--
Kent Wada
Director, Strategic IT and Privacy Policy
UCLA Office of Information Technology
http://kent.bol.ucla.edu




At a previous institution students sometimes appealed a grade because a faculty member had set a deadline for submission of a paper and the faculty member had penalized the student claiming that the assignment had not been received in time. Keeping the email entirely within the university system was to the benefit of the student, as the IT department was able to verify when the email was actually delivered to the faculty mailbox. Also, if IT certified that there had been an email outage (never happened, of course), the faculty member would sometimes allow that as an excuse.

 

________________________

Richard Nelson

Director of Information Technology Services

The Citadel

171 Moultrie Street

Charleston, SC 29409

 

P: 843-953-2232

F: 843-953-1013

 

 

 

From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lorenz, Eva
Sent: Wednesday, April 25, 2012 3:36 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

 

We have a similar requirement, both staff and students must maintain and list a university email in the directory. Some auto-forwarding is permitted, depending on affiliation status and sensitive information access – but the initial email will be to a standard university email (for (most) students that is outsourced MS)

 

-          Eva

From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Wednesday, April 25, 2012 3:24 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

 

Thanks for this insight……hadn’t even thought about this from an “identity” perspective.  This makes a huge amount of sense in the interest of protecting the students….

 

Michael

 

From: EDUCAUSE Policy Discussion Listserv [mailto:POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU] On Behalf Of Geoff Nathan
Sent: Wednesday, April 25, 2012 1:09 PM
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

 

Something that hasn't come up in this discussion, and which happens to be part of Wayne State's policy, is a requirement that all communication between faculty and students be done through the Wayne email system, because it's the only guarantee that the person on each end of the line is who he/she says they are. If Suzy Student writes to you from her hotpants@gmail.com address (apparently an actual case before this policy was established) you, as a faculty member, have no idea who you're talking to. And vice versa, of course. Not only is this FERPA-related, it also just makes sense.

 

Geoff

Geoffrey S. Nathan
Faculty Liaison, C&IT
and Professor, Linguistics Program
http://blogs.wayne.edu/proftech/
+1 (313) 577-1259 (C&IT)
+1 (313) 577-8621 (English/Linguistics)

From: "Kent Wada" <kent@UCLA.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, April 25, 2012 2:12:25 PM
Subject: Re: [POLICY-DISCUSSION] email policy and defining university business

This is always a fascinating topic. As multiple people have said, among the strongest drivers behind wanting university community members to use university-assigned email accounts for university purposes has to do with the university's ability to comply with external requirements... or, as Zareh mentions, the legal, reputational, operational and simply $$$ impact when we fail to comply.

I do think it's important to distinguish between using, say, a standard Gmail account that anyone can obtain under the standard Ts&Cs versus a Gmail account offered by a university that has a contract in place with Google. It's the former case that can be seriously problematic from a compliance viewpoint. Obtaining email records for e-discovery purposes is typically a higher burden and a less-sure thing when an external mail provider is involved. Transmitting FERPA, HIPAA, human subjects research data, credit card info or anything subject to export controls are just some of many other scenarios that can have major negative consequences. And even if you touch none of these types of data, for public institutions, state open records laws can have a far reach. Finally, just because you use a different email provider doesn't mean what you do for university purposes isn't subject to every requirement you would be subject to if you use the institution's own service (thus pointing to one definition of "university business", which would also span research and instruction, at least for faculty and staff).

There are also good reasons beyond compliance for wanting to use the institution's own email service (or contractually provided service). For example, UCLA's (UC's) policies typically offer a much higher level of privacy protection than would be found with a standard, free commercial email account - because it is important for academic freedom and an ethical workplace. And I would argue that for precisely this reason, we would want our faculty who may be engaged in controversial areas of research to use our facilities: we can better protect them. In fact, the University of Wisconsin-Madison has led higher education in this respect (http://www.news.wisc.edu/19190/ - one of the most elegantly written descriptions of the importance of academic freedom I have seen).

Not saying any of this is easy! And as always, as Martha says, probably the underlying key is always going to be awareness within the university community so that people can make informed decisions.

-Kent


--
Kent Wada
Director, Strategic IT and Privacy Policy
UCLA Office of Information Technology
http://kent.bol.ucla.edu




Geoff commented: #Something that hasn't come up in this discussion, and which happens to #be part of Wayne State's policy, is a requirement that all communication #between faculty and students be done through the Wayne email system, #because it's the only guarantee that the person on each end of the #line is who he/she says they are. If Suzy Student writes to you from #her hotpants@gmail.com address (apparently an actual case before this #policy was established) you, as a faculty member, have no idea who #you're talking to. And vice versa, of course. Not only is this #FERPA-related, it also just makes sense. 1) Just a small but potentially important point of clarification: apparent sender addresses in email should NOT be relied on for the purposes of establishing identity. Email addresses can be forged. Proof-by-example? Go into Mozilla Thunderbird (or whatever POP/IMAP email client you may use). Notice that preferences (email address, user's real name, etc.) are user- supplied. Nothing prevents a user from supplying totally bogus information for those and other fields. Email identities are NOT trustworthy, and shouldn't be treated as such. (I know folks probably already know this, but it may be worth mentioning just by way of reminder) 2) Similarly, I would urge faculty to also be wary of communicating personal/sensitive information via email (even within an enterprise) because obviously in most cases email is NOT encrypted. This can be hard to avoid if a student asks, "Hey Prof, I need to know how my grade's looking before the add/drop period closes..." Given that many higher ed email usage policies are focused on "official" communications, this may be a point that's nearly as important as the fact that email identities are not assured. Email is NOT secure (unless you're encrypting your traffic end-to-end). 3) Email is also NOT a reliable/assured delivery channel. A classic example is spam/malware filtering. I know that this is where folks say, "But Joe! We're talking about email sent from a user on one system to another user *on the same system*! We whitelist all internal email!" Got that. Understood. But even if your email gets through, users may simply not be reading what they're sent. (You write to their official email account, but they don't know/don't remember that they have one. They may know that they have one, but they may never access it because they've forgotten their password. Or maybe they think that they've forwarded their email from their official email account to the one they actually normally use, but they screwed that process up. And the list goes on and on and on. Email should NOT be used as a channel for delivery of important messages ("Dear John Smith, We regret to tell you that the results of your recent cancer test at University Hospital were positive. It is critically important that you begin treatment as soon as possible.") 4) There's also a potential for confusion/accidental mistargeting of email. Life is particularly ugly if your institution uses rigid naming schemes for email usernames, and first initial+last name gets disambiguated with a trailing numerical suffix ("Welcome to Mega University, John Smith! Your new lifetime email address is jsmith34@megau.edu") Everyone sighs/groans and pities poor jsmith34@megau.edu, since that online address isn't exactly lyrical/poetic, but in fact, the person who's in for a tough time (and often lots of personal email they *really* may wish they weren't seeing -- TMI!) is the "original" jsmith@megau.edu who ends up getting email that was really meant for jsmith12@megau.edu, jsmith33@megau.edu, etc. Or, just as a simpler example, try decoding email addresses that students may write on a signup sheet sent around a class! 5) Finally, institutional email addresses are often not persistent. This can be a *huge* problem. A faculty member's relationship with his or her students doesn't end when the student graduates (and the student's account gets deleted/held). Wouldn't it be terrific if faculty members could still conveniently communicate with their students as part of a lifetime relationship? For example, imagine faculty members who are being asked to provide letters of reference for graduate schools, etc. So even though you may manage to temporarily dodge the need to deal with third party email accounts while the user is actually a current student, faculty still end up having to deal with third party email accounts later in time. What does this all mean? -- Users (and system operators!) need to be reminded of the limitations inherent in email's architecture and implementation. -- To the extent that we can add trust with things like S/MIME or PGP digital signatures, our institutions should try to do so. -- To the extent that we can protect privacy with things like S/MIME or PGP encryption (or something like Voltage), that may also be worth consideration (although encryption raises a whole host of new issues of its own, such as whether or not to escrow keys) -- Usable directory infrastructures are more important that folks sometimes recognize -- You may want to think systematically about how you issue and manage your user accounts to make sure that long term user and institutional goals are being enabled rather than hindered. Anyhow, I've gone on too long already, but I think this is a very important set of issues that all too often doesn't get the attention it deserves. Regards, Joe ********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.
Just to piggy-back on a few of the points Joe made, here at U of S.C. we created the following short video (~3 mins) explaining some of these email shortcomings: http://www.uts.sc.edu/itsecurity/videos/DarkSideOfEMail-1-HowEMailWorks.swf We also created a slightly longer video (~5mins) explaining "phishing," which also serves as a reminder of how easy it is to abuse the trust most of us place in email: http://www.uts.sc.edu/itsecurity/videos/DarkSideOfEMail-4-Phishing.swf Hope everyone has a great weekend, -- Marcos Vieyra Chief Information Security Officer University of South Carolina 803.777.4685 marcos@sc.edu http://security.sc.edu ********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.
Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.