Initially approved: February 22, 2006
Revised: May 21, 2018
Revised: May 9, 2023
Policy Topic: Information Technology
Administering Office: Office of the CIO
I. POLICY STATEMENT
Western Carolina University (hereinafter “University”) electronic mail (hereinafter “Email”) accounts are provided and supported by the State of North Carolina to further the missions of the University.
The purpose of this Policy is to ensure the appropriate use of the University’s Email System by its employees and guests. Use of the University’s Email system evidences the user’s agreement to be bound by this Policy.
II. SCOPE
All individuals, including employees (faculty and staff) and contractors, or entities assigned a non-student University Email account.
III. DEFINITIONS
“Broadcast Email” shall mean an Email message sent to a large audience, either internal to the University or external to the University, from one individual, unit, college or other subdivision of the University.
“Email” shall mean electronic mail, either sent or received, which is a means of transmitting and storing digital messages and files.
“Email System” shall mean any system used by the University as its primary means of transmitting and storing Email.
“Forensic archive” shall mean a technical control applied to an Email account that prevents the owner of the account from deleting Email either sent or received.
“Non-Student University Email Account” shall mean an Email account provided to an individual or entity associated with the University pursuant to University policy, procedure, and/or practice.
“Separation” shall mean the employee left employment with the University and is no longer affiliated with an employment agreement.
“Student University Email Account” shall mean an Email account provided to an accepted or enrolled University student by the University’s third party Email provider.
“User” shall mean all individuals, including employees (faculty and staff) and contractors, or entities assigned a non-student University Email account.
IV. USER RESPONSIBILITIES
General Responsibilities
All users are required to read their Email messages on a regular basis. Users have
the responsibility to use this resource in an efficient, effective, ethical, and lawful
manner. Users must comply with Policy 52 Responsible Use of Information Technology
Resources.
Email Security
The security of the University’s Email System is a shared responsibility, and users must take precautions to prevent the unauthorized use of their Email accounts. Such precautions should include regularly changing passwords and securing passwords in a safe place, checking with the purported sender before opening a suspicious message or attachment, and declining to share, transfer or otherwise permit third parties to have access to WCUid credentials.
The University prohibits automatic forwarding of University Email to a non-University
account. The IT Division will not enable this feature for a user.
Sensitive Data
In general, Email is not appropriate for transmitting sensitive or confidential information
unless an appropriate level of security matches its use for such purposes. Users must
abide by data handling procedures defined in University Policy 97 Information Security
and Privacy Governance when utilizing Email to transmit sensitive data. Additional
systems operated by the University will scan Email for specific Sensitive Data, including
Social Security Number(s) and Credit Card Number(s), and potentially block the Email.
Records Retention
Matters communicated via Email may become a public record, may become evidence in a judicial proceeding or may otherwise be shared with a broader audience than originally intended. Email created or received for business purposes may not be deleted unless permitted under the record retention schedule in use by the University.
Users are responsible for saving Email messages electronically or printing and retaining a hard copy consistent with the records retention schedule. However, users shall not bulk extract or archive their Email to another form of storage such as an “offline archive.”
Email messages that have reference or administrative value but are of a temporary, ephemeral, or transient nature may be deleted when the user has determined that their reference value has ended.
V. OFFICIAL UNIVERSITY EMAILS
Email as Official Communication
The Email System is provided by the University as one of its primary means of official
communication. An Email message regarding University matters sent from an administrative
office, faculty, or staff member is considered to be an official notice. Supervisors
must ensure that their University staff and faculty have access to the necessary or
appropriate messages distributed via the University’s Email System.
Broadcast Email
Those wishing to transmit Broadcast Email to alumni, students, faculty, and/or staff must obtain approval from a member of Executive Council or the Chancellor,and comply with the current procedures for sending Broadcast Email.
VI. PERSONAL USE
A University Email account may be used for incidental personal purposes provided such use does not violate other University policies, interfere with University IT operations, including Email services, generate a direct cost for the University or impact University employment or other obligations to the University. Additionally, the personal use cannot involve the following:
VII. PRIVACY OF EMAIL
University staff do not routinely monitor the content of electronic mail. However, no user of University Email or the University Email System should have the expectation that any Email content, whether personal or business-related, will be private. To the extent permitted by law and policy, the University reserves the right to access and disclose the contents of any users’ Email, including discarded messages, without the consent or knowledge of the user. Automated security systems operated by the University will scan Email for potentially malicious or harmful content such as suspicious links or attachments.
VIII. UNIVERSITY RECORDS RETENTION, DISPOSITION OF EMAIL, AND FORENSIC ARCHIVES
Users must comply with the responsibilities outlined in Section IV(4) of this policy and the records retention schedule currently in use by the University.
The University Office of Information Technology will apply the following disposition practices to all Email accounts (except forensic archives):
Forensic archives of a user’s Email may be permitted upon approval of the University Legal Counsel
IX. VIOLATIONS
Violations of this Policy may result in restriction of access to the University Email system and/or other appropriate disciplinary action.
X. REFERENCES
International Standards Organization (ISO/IEC 27002, 13.2 Information transfer)
University Policy 52 – Responsible Use of Information Technology Resources
University Policy 87 – Secondary Employment Policy for SHRA Employees