Email Policy

Purpose

This Policy clarifies the applicability of the law of New Zealand and of University policies to email. It also defines policy and procedures where existing policies do not specifically address issues particular to the use of email.

Organisational scope

This policy applies to all email systems established by the University of Otago for staff and students. Persons who are given access to the University of Otago's email systems are expected to familiarise themselves with, and abide by, the policies in this document. Violations of this policy may result in disciplinary action, or legal action where applicable.

Definitions

Spoofing

Employing a false identity when using email services shall not employ a false identity and / or originating email in such a manner as to create the impression to the recipient that the email originated from another source or individual.

Letter-bomb

To resend the same email repeatedly to one or more recipients to interfere with the recipient's use of email.

Content

1. Preamble

In recent years email (electronic mail) has become a major means of communication for staff and students both within the University and beyond. Email use raises a number of issues including privacy of messages, email address publication, rights of discovery, acceptable use, harassment, and storage.

Email has become the major mode of written communication at the University of Otago. It is important that all email users are aware of the characteristics of email in order to make effective use of this medium for communications. All email users must be aware that communicating electronically has legal ramifications which must be clearly understood if potential problems are to be avoided. For the purposes of this Policy, email includes email attachments (documents, graphics etc.). It is acknowledged that risks for a university in providing employee and student access to email cannot be eliminated but they can be significantly reduced through careful planning and appropriate policies and procedures.

The University recognises that principles of academic freedom and collegiality, freedom of speech, and privacy of information hold important implications for email and email services. The University provides email privacy protections comparable to that which it affords paper mail and telephone communications. This Policy reflects these firmly-held principles within the context of the University's legal and other obligations.

All students of the University are provided with access to University email services and it is the normal expectation that all staff of the University will have access to, and will use, University email services. The use of email services are not seen as a privilege, but as a requirement, for members of the University community.

The University does not and will not routinely inspect, monitor, or disclose email content without the holder's consent. However there are strictly controlled circumstances under which email may be inspected without the holder's consent. These are laid out in the policy.

In using email users should be aware of the following characteristics of the medium.

1. By its very nature, email communication can easily be less private than many people may recognise. For example, a reply to an email message sent to an email list, intended only for the originator of the message, could easily be distributed to all subscribers to the list by mistake. Email intended for one person sometimes may be widely distributed because of the ease with which recipients can forward it to others. Furthermore, even after a person deletes an email record from a computer, it may persist on backup facilities, and thus be subject to disclosure. The University cannot routinely protect users against such eventualities.

2. Email, whether or not created or stored on University equipment, may be subject to disclosure by the University under freedom of information legislation (the Official Information Act and the Privacy Act), or in the course of the discovery process if there is litigation in progress. However, the University does not automatically comply with all requests for disclosure, but evaluates all such requests against the precise provisions of the applicable law concerning disclosure and privacy.

   Those using the University email services should therefore be aware that there are situations where the University may be legally required to disclose information within its power or control, and that it cannot guarantee the complete protection of personal email stored on University facilities.

3. The University, in general, cannot and does not wish to be the arbiter of the contents of email. Neither can the University, in general, protect users from receiving email they may find offensive. Members of the University community, however, are strongly encouraged to use the same personal and professional courtesies and considerations in email as they would in other forms of communication. The Policy has a section on "Acceptable use of email" and those whose use is seen to be outside of these guidelines may be subject to appropriate disciplinary action.
4. There is no guarantee, unless "authenticated" mail systems are in use, that email received was in fact sent by the purported sender, since it is relatively straightforward, although a violation of the Email Policy, for senders to create the impression to the recipient that the email originated from another source or individual. Furthermore, email that is forwarded may also be modified. Authentication technology is not widely and systematically in use at the University as of the date of this Policy. As with print documents, in case of doubt receivers of email messages should check with the purported sender to validate authorship or authenticity.
5. Encryption of email is another emerging technology that is not in widespread use as of the date of this Policy. This technology enables the encoding of email so that for all practical purposes it cannot be read by anyone who does not possess the right key. The answers to questions raised by the growing use of these technologies are not now sufficiently understood to warrant the formulation of University policy at this time. However those using and managing email facilities should be aware that these technologies will become generally available and will probably be increasingly used by members of the community.
6. While the use of email distribution lists can be a very effective means of communication consideration should be given to when 'pull' rather than 'push' technology should be used. Email lists are a 'push' technology in that the list members all receive the communication whether they are interested or not. An example of 'pull' technology is the posting of information on a Web page for users to view if they wish. Excessive use of email lists, especially with large messages, can cause very large network traffic volumes.

2. Policy

1. Access to University Email Services and Disclosure of Email Information

   All University of Otago students have access to University email services, and it is the normal expectation that members of staff will have access to, and will use, University email services. All students and staff using University email services are bound by the University's policies on email. Other persons who have received permission under the appropriate University authority and who have agreed to be bound by the University's policies on email may be authorised to use the University's email services.

   The University encourages the use of email services and respects the privacy of those using them. Subject to the following provisions, the University does not routinely inspect, monitor or disclose information held on its email services without the user's consent.

   IT systems personnel (such as postmasters) may need to inspect email when rerouting or disposing of otherwise undeliverable email, spam, or email which contains, or may contain viruses or other material capable of damaging the network.

   Such right of access is limited to the least invasive level of inspection required and will only be carried out by an employee or contractor of the University in the course of that person's duties where that is necessary for the purpose of maintaining the University's email service.

   Any information obtained through such access will be destroyed immediately it is no longer needed for the purpose of maintaining the University's email service.

   This exemption does not entitle disclosure of any personal or confidential information by any IT systems personnel. However accidental disclosure of information consequent on reasonable efforts taken in good faith to deliver mail shall not be a breach of this policy.

   The University may, subject to requirements of this policy, use or disclose anything created, stored, sent or retrieved by users of its email systems, in (and only in) the circumstances set out below. Where the University has reasonable grounds for considering that the circumstances apply it may, in accordance with the process established by this policy, intercept emails for the purpose of ascertaining whether the circumstances do in fact apply.

   1. when required by the laws of New Zealand, including but not limited to the Official Information Act and the Privacy Act and for the conduct of proceedings before any Court or Tribunal; and/or
   2. where the University with good reason believes violations of the laws of New Zealand or of University Regulations have occurred; and/or
   3. where the University with good reason believes failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or significant liability to the University or to members of the University community; and/or
   4. where critical operational circumstances exist where failure to act would seriously damage the ability of the University to function administratively or to meet its teaching, research or community services obligations.

2. Procedures to Approve Access to, Disclosure of, or use of Email Communications

   University officials who need to gain access to the email communications of others, under the circumstances described in the section "Access to University email services and disclosure of email information", and who do not have the prior consent of the user, must obtain approval in writing in advance of such activity from the Director of Information Technology Services. The access to the electronic communications must also be supervised by a person, designated by the Director of Information Technology Services, who will be kept fully informed of the actions taken by the investigating officer.

3. Email Address Publication

   A condition of the provision of an email service at the University of Otago is that the University may publish the email addresses.

4. Archiving and Retention

   An increasing amount of business is now conducted via email messages. Those using email are reminded that it is important to keep email messages as a record of such business, when email is used in place of other written communication. In these circumstances consideration must be given to ensuring that the email record is accessible by other staff. However it must be understood that stored email messages may become subject to disclosure procedures resulting from legal action. Communications of University employees in the form of email may constitute "correspondence" and, therefore, may be a public record subject to public inspection.

5. Acceptable Use of Email

   In general, use of University email services is governed by policies that apply to the use of all University facilities. In particular, use of University email services is encouraged and is allowable subject to the following conditions:

   1. Purpose:

      As with other University resources, email is made available to the staff and students of the University to further the teaching, research, and community service mission of the University. Use of the University's email services is intended to be in furtherance of the University's mission. Individuals may not use email for entrepreneurial activities except in cases of University-sanctioned activities.

   2. Personal use:

      It is accepted that University personnel make use of the University's email services for personal communications. Incidental and occasional personal use of email is permitted when such use, in the judgement of the supervisor of the user, does not generate a significant cost for the University. Any such incidental and occasional use of University email resources for personal purposes is subject to the provisions of this policy.

   3. Use not directly related to the business of the University:

      It is accepted that email and email lists will be used to provide communication of staff social matters. This is permissible so long as the costs to the University are small, as judged by the Head of Department or departments concerned.

   4. Use of email lists:

      Email lists are a powerful mechanism for distributing information. When an email list is established the 'owner' of the list must state clearly what the purpose of the list is, and how the list will be moderated. The use of email lists in appropriate circumstances is encouraged.

6. Restrictions and Unacceptable Use and Practice

   1. Use of email distribution lists:

      No one shall be added to an email mailing list without her or his consent, unless the list is set up for official University business. Mailing lists may be used only for their intended purposes.

   2. Competition:

      University email services shall not be provided in competition with commercial services to individuals or organisations outside the University.

   3. Commercial purposes:

      University email may not be used for personal financial gain or commercial purposes not under the auspices of the University.

   4. Excessive personal use:

      Personal use that creates a significant cost for the University is prohibited.

   5. Harassment:

      It is a violation of this policy to employ email to libel, harass or threaten other individuals or organisations.

   6. Copyright:

      Sending copies of documents in violation of copyright laws or inclusion of the work of others into email communications in violation of copyright laws is prohibited.

   7. Representation:

      Those using University email services shall not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of the University or any unit of the University unless appropriately authorised (explicitly or implicitly) to do so. Where appropriate, an explicit disclaimer shall be included unless it is clear from the context that the author is not representing the University. An appropriate disclaimer is: "These statements are my own, not those of the University of Otago."

   8. False Identity (Spoofing):

      Those using University email services shall not employ a false identity. It is a violation of this Policy to originate email in such a manner as to create the impression to the recipient that the email originated from another source or individual.

   9. Interference:

      University email services shall not be used for purposes that could reasonably be expected to cause, directly or indirectly, excessive strain on any computing facilities, or unwarranted or unsolicited interference with the use of email or email systems by others. Such uses include, but are not limited to, the use of email services to:

      1. send or forward email chain letters;
      2. "spam," that is, to exploit listservers or similar broadcast systems for purposes beyond their intended scope to increase the distribution of unsolicited email; and
      3. "letter-bomb," that is, to resend the same email repeatedly to one or more recipients to interfere with the recipient's use of email.

   10. Unauthorised access:

       Attempting unauthorised access to email or attempting to breach any security measures on any email system, or attempting to intercept any email transmissions without proper authorisation, is a violation of this Policy.

   11. Unauthorised access:

       Attempting unauthorised access to email or attempting to breach any security measures on any email system, or attempting to intercept any email transmissions without proper authorisation, is a violation of this Policy.

Related policies, procedures and forms

• Electronic Directories Policy
• Email Server Policy
• Software Licence Compliance Policy
• Anti-virus Procedure
• Student Email and Digital Screen Communication Policy
• Official Information Act
• Privacy Act