Aberystwyth University: Policy and Associated Rules on the Use of E-mail
There are responsibilities involved in using the University’s e-mail facilities. By activating your University IT account, you are agreeing to abide by Information Services’ Rules and Regulations, agreeing to fulfil the responsibilities imposed by these regulations and recognising that you are subject to UK and other relevant laws.
This document explains more fully how these considerations govern your use of e-mail.
1. E-mail is not a confidential means of communication. You should bear in mind that e-mail messages can be very easily read by those for whom they were not intended and you should recognise particularly that e-mails can be:
- intercepted by third parties (legally or otherwise)
- accessed by any individuals mentioned in the e-mails, under data protection legislation
- wrongly addressed
- forwarded accidentally
- forwarded by initial recipients to third parties against your wishes
- viewed accidentally on recipients’ computer screens
2. Sensitive personal data must not be communicated by e-mail unless the express permission of the subject has been obtained or unless adequate encryption facilities have been employed.
3. Make sure that you do not include any defamatory comments in any e-mail messages. E-mail is a form of publication and the laws relating to defamation apply. Remember that a comment made in jest can be misinterpreted by its recipient. In a case of harassment it is the effect of a communication which is considered and not the intention of the sender.
4. You must never use a false identity in e-mails which you send. Bear in mind that there is no guarantee that e-mail received was in fact sent by the purported sender. If, for any reason, you do send an e-mail on behalf of someone else you should make that clear at the beginning of the message.
5. The AU e-mail system must not be used to create or distribute unsolicited, offensive, or unwanted e-mail, including the dissemination of chain letters. The sending of unsolicited marketing messages is a criminal offence.
6. You must not send e-mail messages that show the University in an unprofessional light or that could expose the University to legal liability. More specifically, you must not send e-mails in a personal capacity which may give the impression that you are speaking on behalf of the University. E-mails may interpreted as having the same standing as a letter on headed notepaper even if you describe the contents as “private”. If you wish to send e-mail and not be bound by this undertaking you must use an external e-mail provider.
7. Be extremely careful when downloading material from the internet and opening e-mail attachments if there is any suspicion of it including a virus. If you have any suspicions, do not open an attachment and contact Information Services staff immediately. You may be subject to University penalties if you are found to have been negligent in this regard, and you should also be aware that services or access to the system may have to be withdrawn for a period of time in order to rectify any problems caused by the spread of a virus by your computer.
8. You must familiarise yourself with advice on phishing as provided by Information Services and you will also be expected to participate in any relevant training provided by the University.
9. You must not invade anyone’s privacy by any means using e-mail.
10. You should not rely on e-mail for record-keeping purposes. Where long term accessibility is an issue you should transfer e-mail records to a more lasting medium or format.
11. The laws applying to copyright are applicable to e-mail messages and attachments. You should familiarise yourself with the University’s policies in relation to copyright and be careful when copying material for inclusion in e-mail.
12. Be aware that documents attached to e-mails may contain information from which the history of a document’s creation may be deduced. This data may identify those involved in generating or altering that item.
AU Considerations relating to Staff and Student Use
13. The University uses e-mail as an official form of communication with staff and students. All users are expected, therefore, to regularly check their AU e-mail for such communications. For this reason, and in order to ensure compliance with current legislation, the University does not permit users to set up the forwarding of AU e-mail to outside ISPs as there is a risk of e-mail not being correctly handled at the other site, and AU are not able to check for correct delivery when a dispute arises. Such forwarding may also be in breach of data protection laws.
14. Staff and students should be aware that the University’s email system is outsourced to Microsoft under terms negotiated by Jisc Collections and Janet Ltd. For further details see https://www.jisc.ac.uk/network/cloud
15. If you have had a staff e-mail account, it is your responsibility to ensure that, if you leave or retire from the University, you arrange to make available any e-mail records relating to your work in the University. You should also set up an automated response providing an alternative contact within the University for any e-mails that might arrive following your departure. Similarly, if you are a member of staff who has changed departments, then it is your responsibility to ensure that any communications relevant to your previous position are either passed on to colleagues, or deleted, as appropriate.
16. Your staff e-mail account is provided for use in connection with the performance of your contractual duties. While incidental use of the e-mail system for brief communications is permitted, this is regarded as a privilege and not a right and is dependent upon not being abused or overused. The University reserves the right to withdraw permission for personal use at any time.
17. The University reserves the right to add appropriate disclaimers or relevant promotional material to e-mails that are sent out, as and when is deemed necessary by the University Executive Group.
18. Staff must not forward e-mails relating to University business to personal, non-AU e-mail accounts (such as gmail or hotmail) particularly where these communications include personal data relating to others, not should you use personal e-mail accoutns for University business more generally.
19. Staff members should only use the bcc field of an e-mail in instances where a communication is being sent to a group of people who have no need to know other recipients’ identities (e.g. other members of a trades union). Such emails should also make it clear that the email is being sent to a group. Use of bcc in other circumstances might be interpreted as underhand, thus creating a lack of trust. If, you do receive an e-mail as a recipient in the bcc line, take care not to ‘Reply All’ as that might alert others to the fact that you have received the original communication.
Monitoring of and Access to E-mail
20. The AU email system is offered to all members of the University in support of their work, research, and study. While there is no proscription on using the system for personal purposes as long as these do not compromise University-based activities, you must be aware that there can be circumstances where emails addressed to you can either be monitored or accessed under the strict conditions outlined here.
Monitoring of Email. Monitoring means that all or part of an email is inspected either automatically or by nominated University officers without further seeking your permission.. University staff never routinely inspect the contents of any e-mail. However, in accordance with the Regulation of Investigatory Powers Act 2000, there are occasions where some or all of this information may be viewed:
(i) Where a virus or malevolent e-mail attack is threatening the functioning of the whole system or is likely to delete or corrupt user data. In this case e-mail headers and other patterns of data may be examined in order to identify and delete the offending material. This monitoring is largely automated and no University officer is involved in directly viewing the information. In exceptional circumstances, e-mails, the contents of which may threaten the security of individuals or the integrity of the network, may be removed or deleted by Information Services Staff in accordance with established protocols.
(ii) Where the Director of Information Services or the Director of Human Resources, believes there is a reasonable suspicion of a serious breach of any University Policy on the Use of E-mail have been contravened.
(iii) At the request of the police, where it has been established that co-operating is in direct furtherance of a criminal investigation.
Information obtained through any e-mail monitoring will not be used for any purpose other than that for which it is collected unless such monitoring reveals activity of a nature that no employer or organisation could reasonably ignore.
Access to Email. This means that one or more nominated University officers is given permission to read e-mails addressed to you, or sent by you. Such authority will only be given in exceptional circumstances, in particular if, due to your absence from the University, an inability to access emails addressed to you could compromise the business of the University for a clearly identifiable reason. This is most likely to arise if you are a member of staff and absent due to sickness for any length of time, or if you are on holiday or have left the University without having put adequate arrangements in place. E-mail may also be accesed in response to a legal requirement, such as a Data Subject Access Request, or as part of an internal investigation.
Under such circumstances, a Head of Department or section can request Information Services to make relevant existing emails available to a nominated University officer.
The officer(s) nominated to handle such emails will be instructed to use careful judgement before reading the content of any particular email item, for example by using the subject headers so as to avoid accessing email text that is clearly nothing to do with the area of business being progressed.
In using the University’s computer facilities you, as a student or member of staff, implicitly accept the University’s regulations and those of Information Services. Consequently, you have agreed to a right to inspection by Information Services staff under the circumstances explained above.
Data Protection and E-mail
21. As a member of the University, and using its email system, you are covered by the General Data Protection Regulation, and the Data Protection Act 2018, or covered by equivalent legislation in other jurisdictions where the University operates. These prescribe a number of further rights and responsibilities which apply to the use of email:
- Personal data is subject to this legislation. Under its terms, personal data includes any information about a living identifiable individual, including their name, address, phone number, and e-mail address. If you include such information in an e-mail or an attachment to an e-mail, you are deemed to be "processing" personal data and must abide by the legislation. Personal information also includes any expression of opinion.
- You should be cautious about putting personal information in an e-mail. In particular, you should not collect such information without the individual knowing you propose to do this; you may not disclose or amend such information except in accordance with the purpose for which the information was collected; and you should ensure the information is accurate and up to date.
- The University has, by law, to provide any personal information held about any data subject who requests it under data protection legislation. This includes information on individual computers in departments, and you have a responsibility to comply with any instruction to release such data made by the University Data Protection Manager. Emails which contain personal information and are held in live, archive or back-up systems or have been "deleted" from the live systems, but are still capable of recovery, may be accessible by data subjects.
- The law also imposes rules on you in retaining personal data. Such data should be kept only for as long as it is needed for the purpose for which it was collected.
- You should take care when sending e-mails containing personal information to countries outside the European Economic Area, especially if those countries do not have equivalent levels of protection for personal data.
22. It is possible to attempt a recall of an email, but it should be noted that none of the methods are guaranteed to work. An email may already have been read, forwarded or copied into some other format and, in these situations, a technological solution may not effectively recall or delete all copies.
If, as an individual, you wish to recall an email, you should refer to FAQ 498.
Information Services do not normally recall emails. However, certain situations may merit prompt referral to Information Services and these include: situations where personal data has been sent in error (including unintended identification of email list members); sensitive or confidential information has been sent to the wrong person; email content has included text which may be harmful to the reputation of the University.
Recall procedures undertaken by Information Services are time-consuming, resource- intensive and may not be completely successful. Because of this, attempted recall can only be approved by the University Data Protection Officer or by the Director of Information Services (or their nominee). It should be noted that all lists which can send University-wide emails are subject to moderation and you should also consider applying moderation to any lists which regularly send important emails. Information Services cannot recall emails which have left the University (i.e. those which have been sent to non-AU addresses).
23. The University has to act within the law, which means it has, in turn, to ensure that its students and its employees are doing so, by enforcing the Rules and Regulations as explained in this Policy. Therefore, any breach of these Rules could be treated by the University as a serious disciplinary matter.
Information Security Policy: Responsibilities of Staff
Information Services Regulations, Policies and Guidelines
These Regulations are maintained by Information Services, were last reviewed in June 2022 and are due for review in July 2023