Electronic messaging policy

Purpose

This policy outlines the University’s approach to use of its electronic messaging facilities. It provides the guiding principles and responsibilities to ensure the University’s electronic messaging objectives are met.

Scope

This policy is applicable across the University and applies to:

• all individuals who have access to University information and technologies
• all facilities, technologies, and services that are used to process University information
• all information processed, accessed, manipulated, or stored (in any format) by the University pursuant to its operational activities
• internal and external processes used to process University information
• external parties that provide information processing services to the University

The policy will be communicated to users and relevant external parties.

Objectives

The University’s objectives for this policy are to:

• safeguard the University’s information from security threats that could have an adverse effect on its operations or reputation
• fulfil the University’s duty of care toward the information with which it has been entrusted
• protect the confidentiality, integrity, availability and value of information through the optimal use of controls

Policy

• Access to University-provided messaging platforms is governed according to the Access Control Po­licy.
• All material sent from, received by, uploaded to, or downloaded from the University’s email servers or other third-party applications must be handled in a manner appropriate to its information classification.
• Where a person has left employment, that person’s line manager if required may, subject to a written request to the Data Protection Officer (DPO) and written consent from the DPO provided to IT, be granted access to that person’s mailbox for the period granted by the DPO.
• All mailboxes will be removed in line with current retention rules unless an exception has been requested and approved by the DPO
• There may be some legacy generic email accounts where a single username and password for the mailbox are shared by several people, in which case the logon details should not be distributed beyond those people who need access.
• Once a message has been sent, recipients may intentionally or accidentally forward the message to other individuals. Therefore, users of electronic messaging should have no expectation that any electronic message will remain private.
• Any data breaches caused via email will be handled in accordance with all relevant policies.
• The University has deployed spam filters and anti-virus filters. These filters are there to protect the University’s information systems resources from viruses and unsolicited email. Where a user interacts with unsolicited email in such a way as to cause an access or data breach or compromise the University may suspend the users account while the issue is rectified.
• The use of University-provided email or any other electronic messaging system provided by or used on behalf of the University is subject to all relevant laws, policies, codes of practice, and guidelines.
• Email is provided for conducting University business, and while individuals may use their University accounts for personal communication, the account remains the property of the University, and any communication using it should not be considered private.
• Official University business should normally be conducted from email accounts provided by or on behalf of the University. Users should be aware that the use of third-party email providers for University business is prohibited
• Users of email or other third party supplied electronic messaging used on behalf of the University:
  • Must not send messages or message content that may harass or offend (including racist, sexist, defamatory, or obscene material)
  • Must not send messages from someone else’s account except under proper “delegate” and “send on behalf of” arrangements which retain individual accountability
  • Must not use University email or messaging systems operated on behalf of the University for personal gain or profit
  • Must not use University email or messaging systems operated on behalf of the University to represent themselves as someone else
• Mailboxes will be disabled in accordance with the Access Control Policy’s ‘Account Expiration’ provisions. See the Access Control Policy for details.

Legal and regulatory obligations

The University has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation

Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Responsibilities

The following University bodies and individuals have specific information security responsibilities:

• The University’s Information Technology department is accountable for the effective implementation of this policy, and supporting information security rules and standards, within the University.
• The Data, Records and Information Committee (DRIC) has executive responsibility for information security within the University.  DRIC has responsibility for overseeing the management of the information security risks to the University's staff and students, its infrastructure, and its information.
• The Assistant Director, UoD IT (Infrastructure, Security and Research Computing) is responsible for establishing and maintaining The University’s cyber security management framework to ensure the availability, integrity, and confidentiality of The University’s information. The Assistant Director will lead on the definition and implementation of the University’s cyber security arrangements and make judgement calls when situations arise that are not covered by the current cyber security management framework.
• Users are responsible for making informed decisions to protect the information that they process. Users will familiarise themselves with the relevant policies governing the information and systems they access.

Supporting policies, codes of practice, procedures, and guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures, and guidelines are published together and are available for viewing on the University’s website.

All staff, users, and any third parties authorised to access the University’s network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Compliance and breach of policy

The University will conduct cyber security compliance and assurance activities, facilitated by the University’s cyber security staff to ensure cyber security objectives and the requirements of the policy are met. Wilful failure to comply with the policy will be treated seriously by the University and may result in enforcement action. Any questions or concerns about this policy should be discussed with Line Managers.

Review and development

This policy and its supporting documentation, will be reviewed and updated at least annually. Further reviews and updates will take place when best practice or the legislative/regulatory environment changes to ensure that they:

• remain operationally fit for purpose
• reflect changes in technologies
• are aligned to industry best practice
• support continued regulatory, contractual and legal compliance

Changes to this policy will be presented to DRIC for review prior to publication.

Further information

Definitions

University

The University of Dundee is a Scottish Registered Charity, No. SC01509 with its registered office at Tower Building, Nethergate, Dundee DD1 4HN

Staff

Staff are salaried members of the University or contracted individually by the University to provide a service.

Student

A person pursuing any course of study in the University.

Visitors

A visitor is anyone, not a member of staff or student, requiring access to University premises or services.

Information

The result of processing, manipulating, or organising data. Examples including but not limited to, text images, sounds, codes, computer programmes, software and databases.

Data

Information in raw form.

Confidentiality

Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity

Property of accuracy and completeness.

Availability

Property of being accessible and usable upon demand by an authorized entity.

Relevant legislation

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation

If you have any questions regarding this policy please contact the University’s Help4U service