I. OBJECTIVE AND PURPOSE OF POLICY
To establish a policy concerning University electronic mail and the rules and guidelines associated with this resource. This policy applies to all persons and entities that are provided an account in the University's electronic mail systems (i.e., Office 365 or UNF-hosted email).
II. STATEMENT OF PROCEDURES
Email is a key communication resource provided by the University for the benefit and use of its employees, students, and other authorized users. All email users have the responsibility to use their University-provided email account in an ethical and lawful manner. UNF utilizes two enterprise email solutions: a cloud-based instance for faculty and staff members for University business use and a separate cloud-based instance for students.
A copy of this policy shall be provided to all employees at the beginning of their employment at UNF. Any violation of this policy and procedures may result in disciplinary action, including but not limited to the loss of email privileges.
Authorized users - A person granted access to the University's email system. All users must comply with the rules, regulations and policies regarding email as if they are a full-time employee of UNF, regardless of their actual relationship with the University.
Deleted account - An email account that has been purged from University email systems.
Employee - A person who has been officially hired by UNF and has an employee record in the Banner HR system.
Enterprise Resource Planning System (ERP) - Banner Student Administration, Human Resources (HR), or Financials systems: ERP is the authoritative source of information on Student, HR and Financials data, and identity data on all persons and entities affiliated with UNF.
Office 365 (O365) - An email service offered by Microsoft Corporation. Office 365 is the email platform supporting UNF's enterprise email service.
Phishing - An attempt to acquire sensitive information such as usernames, passwords, and credit card numbers, often for malicious purposes, through electronic communications, such as email or text messages.
Pre-Employment - The status of a person who has accepted employment at UNF, and is provisioned in the ERP system, but whose official start date has not occurred.
Public Records - All documents, papers, letters, maps, books, tapes, photographs, films, sound recordings, data processing software, or other material, regardless of physical form, or characteristics, or means of transmission, made or received pursuant to law or ordinance or in connection with the transaction of official business by any agency which are used to perpetuate, communicate, or formalize knowledge.
Retiree - An individual who has completed all steps necessary to retire from the University and is officially listed in the ERP system as a Retiree.
Spam - Unsolicited and undesired electronic messages containing advertisements for products or services.
Sponsored Account - A computer or email account created for individuals who do not fit standard employee or student roles, such as consultants, contractors, guests, courtesy appointees, etc.
Student - A person who has been admitted into full-time, part-time, or transient student status and who has a student record in the Banner ERP system.
University Business - In the context of this policy, electronic mail messages that a person covered by this policy may send or receive in the conduct of their University responsibilities.
IV. GENERAL POLICY
Email Data Ownership
The University owns all University email accounts in all Microsoft Office 365 instances. The content in the O365 instance is owned by the University. University business must be conducted using the Microsoft Office 365 instance.
All email content in O365 instances is subject to copyright and other intellectual property rights under applicable laws and University policies. Note that student workers' email is subject to the same laws, regulations and policies as employee email, including public records law.
Email Privacy and Right of University Access
The University will make every attempt to keep email messages secure; however, privacy is not guaranteed, and users should have no general expectation of privacy in email messages sent through University email accounts. Under certain circumstances, it may be necessary for University IT staff or other authorized University officials to access University email accounts. These circumstances may include, but are not limited to, maintaining the system, investigating security, privacy, or abuse incidents or investigating violations of this or other University policies; public records requests and subpoenas, and, in the case of Microsoft Office 365 Accounts, violations of Microsoft's Acceptable Use Policy or the University's contracts with Microsoft. University IT staff or University officials may also require access to a University email account in order to continue University business where the University email account holder can no longer access the University email account for any reason (such as death, disability, illness, or separation from the University.) Such access will be on an as-needed basis and any email accessed will only be disclosed to individuals who have been properly authorized and have an appropriate need to know or as required by law. The University may access the contents of email accounts for purposes of e-discovery, or officially sanctioned investigations.
All email users are bound by the appropriate acceptable use policies of both the University (found here: 6_0050P) and Microsoft (found here: microsoft volume licensing). Request for access to an active or former employee's email account requires approval from the Director of Human Resources (or their designee) or the Office of General Counsel. Request for access to a student's email account requires approval from the Provost (or their designee) or the Office of the General Counsel.
Data Retention and Purging
Email messages held in the O365 instance are subject to the University's storage and email retention policies. O365 mailboxes are set to the maximum allowable storage size. Once the storage capacity has been reached, email must be archived or deleted by the account holder to get below the storage threshold.
Email Record Retention
All documents and other written materials that are made or received pursuant to law or that are made or received in the transaction of official University business are public records, which, regardless of form, must be retained and made available for public inspection upon request, unless a statutory exemption applies. Electronic mail messages qualify as public records if they meet these criteria.
For specific guidance on records retention and how it affects email, please refer to the General Counsel's website.
Appropriate Use and User Responsibility
Restricted data, as defined by policy 6.022P Data Classification & Security, must not be stored or transmitted within the University email system unless the data is encrypted. Internal Use and Public data may be transmitted or stored within the University email system without data encryption. Sending restricted data from the University email systems to a non-University email system without data encryption is prohibited. Refer to the University policy 6.022P Data Classification & Security for further definitions and information on protecting data.
Please refer to UNF policy 6.0100P, Email Distribution, for the University's requirements on mass email communications.
Each individual is responsible for their account, including the safeguarding of access to the account. All email originating from an account is assumed to have been authored by the account holder, and it is the responsibility of that holder to ensure compliance with this policy. The sharing of passwords is strictly prohibited.
All incoming email is scanned for malware and spam. Suspected messages are blocked from the user's inbox. Due to the complex nature of email, it is not possible to guarantee protection against all spam or malware, nor is it possible to prevent blocking of certain legitimate messages. It is therefore incumbent on each individual to use proper care to prevent the spread of malware. In many cases, messages containing or pointing to malware or phishing content appear to be sent from a friend, coworker, or other legitimate sources. Users should not click on links in an email message or open attachments unless the user is certain of the nature of the message and the sender. Suspicious emails should be forwarded as an attachment to ITSecurity@UNF.edu where they can be investigated.
Personal Email Accounts / Email Forwarding
To avoid confusing official University business with personal communications, and to adhere to Florida public records laws, employees must not use non-University email accounts (e.g., personal Hotmail, Yahoo, or Gmail accounts) to conduct University business. Forwarding University business related email to a non-University personal email account is not permitted in order to prevent potentially sensitive University information from being sent to external, non-secure email systems. Forwarding rules will be not allowed from the O365 email instance.
Account Creation - Employees
Upon completion of the hiring or pre-employment process, and when an employee record is created in the Human Resources system, each employee has an email account created, with a default email address applied. Faculty and staff can establish an alternate, or alias, account name by using the self-service process in the online portal.
Account Creation - Students
Once student applicants are matriculated, the student email account is created. When a student is employed by the University (e.g., part-time employment, GTA, etc.), a separate email account will be created in the O365 email system for the purposes of conducting University business.
Account Creation - Departmental & Sponsored Email Accounts
Requests for shared departmental accounts require designation of an account holder who is responsible for the account as per these guidelines. The same is true for any sponsored accounts.
Email Account De-Provisioning
The University reserves the right to revoke email privileges at any time.
Faculty and Staff who leave before retirement
Faculty (excepting adjuncts) and staff members who leave the University will have email privileges removed effective on their last worked day. If such separation is for cause, email privileges may be immediately revoked without notice. Upon request, automatic replies will be added to the email account to notify senders of new contact information. An email account may also be assigned to a manager, or delegate, upon appropriate approvals. If necessary and as required by current records retention requirements, arrangements to preserve the contents of the account's mailbox must be made prior to account termination by the immediate supervisory position. For adjuncts, email accounts will be deleted at the start of the third term with no appointment to a job.
Retired Faculty and Staff
Faculty and staff members who have retired from the University will be permitted to obtain a new University email forwarding address on an opt-in basis. This address will be in a retirees domain (@retirees.unf.edu). Note that this is not an email account.
Emeritus faculty may retain a full email account upon designation of emeritus status, as if they were full-time faculty.
Active Students and Alumni
Student email accounts will only be provided during the period of time students are an active student at UNF. This is set to expire at the beginning of the third term without enrollment. Prior to terminating the account, a solicitation will be sent to the student for an alternate email for use in contacting them in the future. Students have the option of downloading their data prior to deletion.
If a student is expelled from the University, email privileges may be terminated immediately.