email policy implementation

Berkeley Campus Implementation of the University of California Electronic Mail Policy

Effective December 1, 1998 — November 17, 2000.

Introduction

On March 23, 1998, President Atkinson established the University of California Electronic Mail Policy (UC Email Policy) as official University policy. All email sent from Berkeley Campus email resources must comply with the terms of the UC Email Policy. The Policy directs each UC campus to develop, maintain, and publish specific procedures and practices that implement certain terms of the Policy and communicate the Policy's provisions to their campus email users.

Providers are obligated to implement specific procedures and practices governing the email services which they provide. Also, to meet their own academic or business needs, departments and units of the Berkeley Campus may implement additional, local, procedures and practices that further refine and conform with the UC Email Policy and this implementation document.

This document contains Berkeley Campus implementation information in the following areas, as required in UC Email Policy section IX.Campus Responsibilities and Discretion:

Student Email Address Publication

Eligibility for Use of Berkeley Campus Email Services

Email Services Following Termination of Affiliation

Restrictions of Use of Email Service

Requirements for Accessing or Disclosing Email Information

Email System Backup Procedures

Notification of the UC Email Policy

This document does not describe all the provisions of the Policy -- please refer to the UC Email Policy itself for the complete policy information.

Note: All indented text blocks in this implementation document are direct quotes from the UC Email Policy.

The Appendix to this document includes references to Selected Regulations, Resource Documents, and Resource Offices to assist with the administration of UC Email Policy issues.

Definitions

The following words are defined to have specific meanings within this Berkeley Campus implementation document:

Providers: Departments and units of the Berkeley Campus who provide email services.

Employers: Departments and units of the Berkeley Campus who employee faculty and staff.

Users: Those who use email services supplied by Providers.

Return to top

Berkeley Campus Guidelines

Student Email Address Publication

The Berkeley Campus does publish its students' email addresses as "directory information". The Berkeley Campus Policy Governing Disclosure of Information from Student Records section I.E. includes "electronic mail address" as a category which may be considered "public information" by units on campus. The UC "Policies Applying to the Disclosure of Information from Student Records" 130.20 Definitions clarify that "... 'public information' as used in these policies is synonymous with the term 'directory information' in [FERPA] ... ".

Providers should ensure that their system information directory functions, such as "finger" or other online directories, generate only "directory information" and observe any other relevant restrictions on publication or disclosure of student records. UC Email Policy section IX, paragraph A, states that students may request the campus not to make their email addresses public. Providers should obtain a student's permission, or ensure that the student has not requested "directory information confidentiality" from the campus, before making a student's email address available through the system.

Return to top

Eligibility for Use of Berkeley Campus Email Services

Providers may choose to provide or not provide email services to defined categories of users, and may limit the types of services they do choose to provide, based upon consideration of campus or local department or unit missions, available resources, or other academic or business needs and priorities. Eligibility requirements must conform with the first three conditions of UC Email Policy section VI.A. Allowable Use:

Purpose. Electronic mail services are to be provided by University organizational units in support of the teaching, research, and public service mission of the University, and the administrative functions that support this mission.
Users. Users of University electronic mail services are to be limited primarily to University students, faculty, and staff for purposes that conform to the requirements of this Section.
Non-Competition. University electronic mail services shall not be provided in competition with commercial services to individuals or organizations outside the University.

As a required condition for eligibility to use campus email services, Providers must obtain agreement from any users of their email service to abide by appropriate use regulations. This must include all provisions of the UC Email Policy and the Berkeley Campus Computer Use Policy.

For information regarding administering appropriate use issues see the Guidelines for Administering Appropriate Use of Campus Computing and Network Services.

Return to top

Email Services Following Termination of Affiliation

When individuals, departments, or groups are no longer eligible for campus email service, their access to email service must be discontinued.

Providers may choose to provide or not provide former users of their email services with "redirection only" service for their outside email. The duration of any such redirection services is determined by the Provider.

Providers shall carry out email service terminations (or conversions to redirection service) with due diligence, subject to timelines determined by data availability and business needs. Email service administrators shall notify email account holders in advance, if possible, of impending account cancellation (or conversion to redirection service). IST's local procedures for Disabling UCLink and HomeIP Accounts may serve as a useful resource document for other Providers in preparing their own local procedures.

Individuals, departments, or groups wishing to appeal decisions regarding their continued eligibility for access to email services may do so either through the offices of the Providers or through any existing procedures applying to their affiliation with the University.

Providers' requests for exceptions to campuswide termination requirements should be sent to the Associate Vice Chancellor--Information Systems and Technology, who will review such requests and submit them to the Campus Computing and Communications Policy Board (CCCPB).

Return to top

Restrictions of Use of Email Service

UC Email Policy section V.C, Service Restrictions clarifies that "access to University electronic mail services, when provided, is a privilege that may be wholly or partially restricted by the University without prior notice and without the consent of" the User:

when required by and consistent with law, when there is substantiated reason (as defined in Appendix A, Definitions) to believe that violations of policy or law have taken place, or, in exceptional cases, when required to meet time-dependent, critical operational needs.

Restrictions of email service shall be handled following existing procedures that govern disciplinary or conduct actions, i.e., Personnel Policies or Contracts, or Faculty or Student Codes of Conduct.

Providers should comply with an Employer's request to restrict email privileges of their employees, following confirmation of the identity and authority of the requestor. In such circumstances, the Employer is responsible for ensuring that the action complies with rights and regulations pertaining to the User's employment.

If a Provider allows use by groups or individuals not officially affiliated with the campus, then the Provider must have terms and conditions which include provisions for processing restrictions of service. The nonaffiliated Users must be notified of such terms and conditions and be required to agree to them before they are given access to use the email service.

Return to top

Requirements for Accessing or Disclosing Email Information

Records Management

The UC Email Policy section IV.Scope states that this Policy applies only to electronic mail in its electronic form. It does not apply to printed copies of electronic mail. Other University records management policies (see RMP series policies listed in UC Email Policy Appendix B, References), however, do not distinguish among the media in which records are generated or stored. Electronic mail messages, therefore, in either their electronic or printed forms, are subject to those other policies, including their provisions regarding retention and disclosure.

Section IV.Scope also states that the UC Email Policy applies equally to transactional information (such as email headers, summaries, addresses, and addressees) associated with email records as it does to the contents of those records.

UC Email Policy section IX. Campus Responsibilities and Discretion clarifies that an electronic mail address assigned by the University to a student is a student record, unless assigned in the student's capacity as an employee or agent of the University.

Protection of Personal or Confidential Information

UC Email Policy section VI.B.Security and Confidentiality paragraph 3 clarifies the responsibility of system administrators regarding transactional information or email contents. Specifically it says:

... during the performance of their duties, network and computer operations personnel and system administrators need from time to time to observe certain transactional addressing information to ensure proper functioning of University email services, and on these and other occasions may inadvertently see the contents of email messages. Except as provided elsewhere in this Policy, they are not permitted to see or read the contents intentionally; to read transactional information where not germane to the foregoing purpose; or disclose or otherwise use what they have seen.

Notwithstanding the above mandate to protect personal or confidential information, Providers and their support staff are advised to report to appropriate authorities any improper or illegal activities they may encounter in the performance of their duties. Resource Offices listed in the Appendix of this document should be consulted when needed to clarify such circumstances.

Holder's Consent to Access Email

With rare exception, access to email should be made only with the consent of the holder of that email. The UC Email Policy's Definitions describe the "holder" of email as "an email user who is in possession of a particular email record, regardless of whether that user is the original creator or a recipient of the content of the record." Thus, for example, it is appropriate for consulting staff to inspect an email message when asked by the recipient to look at it in order to provide assistance with a problem.

Inspections of Undeliverable Email

Systems personnel (such as "postmasters") may need to inspect email when rerouting or disposing of otherwise undeliverable email. However, their access to such email has limitations as described in the UC Email Policy section VI.B.Security and Confidentiality, end of paragraph 3:

... This exception is limited to the least invasive level of inspection required to perform such duties. Furthermore, this exception does not exempt postmasters from the prohibition against disclosure of personal and confidential information of the previous paragraph, except insofar as such disclosure equates with good faith attempts to route the otherwise undeliverable email to the intended recipient. Re-routed mail normally should be accompanied by notification to the recipient that the email has been inspected for such purposes.

Access to Employee Email

University employees are expected to comply with University requests for copies of email records in their possession that pertain to the administrative business of the University, or whose disclosure is required to comply with applicable Policies or Contracts (e.g. Work Rules) or laws, regardless of whether such records reside on a computer housed or owned by the University. Failure by employees to comply with such requests can lead to conditions discussed below as "Exceptions Justifying Access Without Consent".

Employers should discuss in advance with staff members appropriate and acceptable measures that may be taken in the event of unexpected absences. In order to minimize the need to gain access without consent,

Employers may want to implement any or all of the following procedures for their employees, depending upon local organizational circumstances:

Use a "vacation" program during absences, to advise correspondents to
reroute business email to an alternative address.

Utilize "shared-use" administrative business accounts with a defined set
of Users,rather than an email account assigned to one individual, for
communications regarding particular categories of business operations.

Establish advance agreements stating circumstances and procedures
to request password and password changes to gain access to the
employee's email.

Organize email records to clearly separate any personal email from
business related email, so that when inspection is required for business
purposes, the potential impact on personal email is minimized.

Exceptions Justifying Access Without Consent

UC Email Policy section V.E. Restrictions on Access Without Consent states that "The University shall only permit the inspection, monitoring, or disclosure of electronic mail without the consent of the holder":

(i) when required by and consistent with law;
(ii) when there is substantiated reason (as defined in Appendix A, Definitions) to believe that violations of law or of University policies listed in Appendix C have taken place;
(iii) when there are compelling circumstances as defined in Appendix A; or
(iv) under time-dependent, critical operational circumstances as defined in Appendix A, Definitions.

and that "when the contents of email must be inspected, monitored, or disclosed without the holder's consent," the following restrictions apply:

Authorization. Except in emergency circumstances as defined in Appendix A, Definitions, and pursuant to Paragraph V.E.2, such actions must be authorized in advance and in writing by the responsible (see Section IX, Campus Responsibilities) campus Vice Chancellor or University Vice President. This authority may not be further re-delegated. Requests for such non-consensual access must be submitted in writing following procedures to be defined by each campus. University counsel's advice shall be sought prior to authorization because of changing interpretations by the courts of laws affecting the privacy of electronic mail, and because of potential conflicts among different applicable laws. Where the inspection, monitoring, or disclosure of email held by faculty is involved, the advice of the Campus Academic Senate shall be sought in writing in advance, following procedures to be established by each campus. All such advice shall be given in a timely manner. Authorization shall be limited to the least perusal of contents and the least action necessary to resolve the situation.
The UC Office of the President has compiled and published an Annual Report on Non-Consensual Access to Electronic Mail that documents the incidence of non-consensual access to email on UC campuses.
Emergency Circumstances. In emergency circumstances as defined in Appendix A, Definitions, the least perusal of contents and the least action necessary to resolve the emergency may be taken immediately without authorization, but appropriate authorization must then be sought without delay following the procedures described in Section V. E. 1 above. If the action taken is not subsequently authorized, the responsible authority shall seek to have the situation restored as closely as possible to that which existed before action was taken.
Notification. In either case, the responsible authority or designee shall, at the earliest possible opportunity that is lawful and consistent with other University policy, notify the affected individual of the action(s) taken and the reasons for the action(s) taken. Each campus will publish, where consistent with law, an annual report summarizing instances of authorized or emergency non-consensual access pursuant to the provisions of this Section.
Compliance with Law. Actions taken under Paragraphs 1. and 2. shall be in full compliance with the law and other applicable University policy, including laws and policies listed in Appendix B. This has particular significance for email residing on computers not owned or housed by the University. Advice of counsel always must be sought prior to any action taken under such circumstances. It also has particular significance for email whose content is protected under the Federal Family Educational Rights and Privacy Act of 1974, which applies equally to email as it does to print records.

Providers must create and implement local procedures for processing requests for access without consent to email located on their own systems. These procedures must comply with the above restrictions. The Berkeley Campus authority for authorization in advance in writing as described in paragraph 1, "Authorization" above is the Vice Chancellor--Research. Providers may wish to refer to a Tracking Form for Non-Consensual Access to Email Records as a sample for creating their own form to document approvals of access without consent.

Return to top

Email System Backup Procedures

Providers must develop, update, and be able to provide upon request, information describing their back-up procedures for email on their facilities. This is required in order for the campus to comply with UC Email Policy Section VI.B.Security and Confidentiality paragraph 5 which states that:

The practice and frequency of back-ups and the retention of back-up copies of email vary from system to system. Electronic mail users are encouraged to request information on the back-up practices followed by the operators of University electronic mail services, and such operators are required to provide such information upon request.

Return to top

Notification of the UC Email Policy

Providers must notify all their new Users regarding the UC Email Policy as required in UC Email Policy section IX. Campus Responsibilities and Discretion, paragraph F: "New users shall positively acknowledge receipt and understanding of the policy. Such notification and acknowledgment may be electronic to the extent that the email user's identity can be assured." As an example, Providers may wish to refer to IST's text to notify Users about the UC Email Policy: Sample Email Policy Notification.

Return to top

Appendix

Selected Regulations

UC Berkeley Computing & Communications: Policies website

University of California Electronic Mail Policy (UC Email Policy)

Berkeley Campus Computer Use Policy

FERPA (AACRAO's Brief Guide to the "Family Educational Rights and Privacy Act")

e-Berkeley Mass Mailing Guidelines

Code of Student Conduct

UC Policy on Faculty Conduct and the Administration of Discipline

UCB & UC Personnel Policies, Contracts, and Administrative Manuals

Policy on Support Groups, Campus Foundations, and Alumni Associations

UC Faculty Handbook section regarding Grievances

Berkeley Campus Policy on Sexual Harassment and Complaint Resolution Procedures

Affiliation Agreements

Whistleblower Policy (UCB Policy and Procedures for Reporting Improper
Governmental Activities and Protection Against Retaliation for
Reporting Improper Activities)

Resource Documents

Model Tracking Form for Non-Consensual Access to Email Records

Guidelines for Administering Appropriate Use of Berkeley Campus Computing and Network Services

Model User Agreement

IST Privileged Access Agreement

Eligibility for Access to IST Services

Berkeley Campus Guide to Managing Human Resources