Stewardship and Custodianship of E-mail Skip Navigation

Stewardship and Custodianship of E-mail

ITS Policy 10.1.5

Policy Statement

Colgate University provides an e-mail system for students, faculty, staff, alumni, contractors and others to facilitate communication related to academic, administrative, and community engagement matters. E-mail is an official means of communication for the University, and users are responsible for communications via this system. The University strives to administer this system for the entire Colgate community in a manner that preserves a level of confidentiality as outlined in this policy. The University will execute this policy while maintaining compliance with relevant State and Federal laws, regulations, and University policies.

Although the University does not recommend personal use, it recognizes and permits limited personal use of the colgate.edu e-mail domain (and its subdomains). This personal use does not acquire a right of privacy for communications transmitted or stored using University electronic information resources (EIR).

This policy defines the roles of stewards and custodians in regards to e-mail. Custodians are tasked with the care of e-mail accounts. Stewards are responsible for ensuring e-mail content is seen only by those who have a need to see it as defined by this policy. Account types are assigned specific stewards. A table of what stewards are responsible for what account types can be found under the E-mail Stewards heading at the end of this policy.

Principles and Standards

Custodians of e-mail must never access or disclose the contents of any e-mail for which they are not correspondents except when authorized by defined e-mail stewards under strict guidelines in the following situations:
  1. In the event of a health or safety emergency.
  2. In response to a court order, subpoena or other compulsory legal process.
  3. As part of an internal investigation involving a breach of policy or law.
  4. In immediate need to continue a critical and time-sensitive business process.
  5. To provide business continuity in the event of a death or employee departure.

Reason for this Policy

The University strives to protect e-mail communications from inappropriate access or disclosure. This policy provides clear policy guidelines for those circumstances in which access to e-mail is granted to those other than the named account holder. It insures an appropriate level of oversight, control, and accountability for such actions.

Scope of Policy

Entities affected and bound by this policy include all members of the University including those users of Colgate's e-mail for Life offering except where otherwise indicated in this or other policy.

This policy is in direct relation to Colgate's e-mail system but may be used as a general guideline concerning all other forms of electronic communications transmitted or stored using Colgate's electronic information resources where specific policy may not yet be adopted.

Who Should Read this Policy

All members of the University community should read this policy.

Procedures

Requests to Access or Disclose E-mail Content

For a graphical decision tree of the procedures below see the Decision Tree heading at the end of this policy.

A. In the Event of a Health or Safety Emergency

In the event of a health or safety emergency, the University may access and/or disclose the content of e-mail according to the following procedure:
  1. The Information Privacy & Security Officer (IPSO) may only grant access and/or disclose the data upon request of the Director of Campus Safety, Director of Health Services, Director of the Counseling Center or a member of the President's Staff. Emergency requests may be made directly to the IPSO.
  2. In order to preserve any potential evidence, the IPSO will make a second copy of the requested contents on read-only medium and stored in a secure location, clearly labeled and sealed. The IPSO will create an incident document summarizing the request, the process used in obtaining the contents and any other relevant observations during the event.
  3. In the interest of saving time during the emergency, the original request may be verbal. As such, after the request is fulfilled, the requesting party will provide the IPSO with a formal (written or e-mailed) request citing the nature and detail of the information requested. As soon as is practicable, the IPSO will notify the appropriate e-mail steward(s) and the CIO of the request with a Notice of Preservation & Access.
  4. To ensure the emergency request procedure in this policy is not abused, emergency requests will be reviewed by the President’s Staff within a reasonable time after the event at which time any adjustments to this policy may be made.
B. In Response to a Court Order, Subpoena or Other Compulsory Legal Process

In the event of a court order, Subpoena, litigation hold or similar request/demand, Legal Counsel may be asked to review the validity and authenticity of the request/demand. Legal Counsel may then provide advice regarding the University's obligations to comply and the University is free to comply with that advice notwithstanding any provision of this policy.
  1. A member of the President’s Staff or the Special Assistant to the President for Legal Affairs may make a direct request to the IPSO along with any additional and/or specific instructions to preserve the e-mail content.
  2. The IPSO will make a copy(s) of the evidence as per the instructions and will create an incident document summarizing the request, the process used in obtaining the contents and any other relevant observations during the event.
C. As Part of an Internal Investigation Involving a Breach of Policy or Law

In the event of an investigation involving an employee or faculty related to his or her employment status, requests for access may be made to specified e-mail stewards.
  1. All requests to access an account holder's e-mail must be made formally, in writing or by e-mail, to the appropriate account holder’s e-mail steward (see E-mail Stewards) by an employee’s manager, immediate supervisor or director, a student’s academic advisor or professor, a member of the Equity Grievance Panel (EGP), a member of the President’s Staff or another e-mail steward. To avoid unreasonable searches and fishing expeditions, each request must contain a detailed reason for the request with a range of dates in which to search along with keywords or other information that can narrow the search to the pertinent investigation.
  2. Requests will then be vetted through an Administrative Council consisting of four (or more) members of the President's Staff. The Council reserves the right to ask for the opinions of other University members when deliberating. Investigations involving faculty e-mail will have two additional members taking part on the Council; the Chair of the Committee on Information Technology and the Chair of the Faculty Affairs Committee. Decisions will be made based on a majority vote of the Council.
  3. Approved requests will then be sent to the IPSO. The IPSO will perform the search on the e-mail account(s) using the keywords and dates supplied with the approved request. The IPSO will create an incident document summarizing the request, the process used in searching for the keywords in the request and any other relevant observations during the event.
  4. Findings from the initial search may then be given to the e-mail steward(s) along with a Notice of Preservation & Access if and when appropriate. If the initial search is fruitless, no further investigation may be made on the e-mail account(s) without the requesting party making a new official request.
  5. If the initial search is fruitful, the IPSO will make a copy of the related contents to a read-only medium and store it in a secure location, clearly labeled and sealed. The IPSO will append the incident document with a summary of the request, the process used in obtaining the contents and any other relevant observations during the event. As soon as is practicable, the IPSO will notify the CIO of the request with a Notice of Preservation & Access.
  6. Access to the content of the e-mails identified from the initial search may then be requested by the e-mail steward(s). If such a request is made, a second copy of the e-mail contents will be saved to a read-only medium and delivered to the appropriate e-mail steward.
D. In Immediate Need to Continue a Critical and Time-Sensitive Business Process

In the event an employee or faculty member's professional association with the University has ended, or the account holder is unavailable and without access to their e-mail, it may sometimes be necessary to access information stored in the account holder's e-mail in order to preserve business continuity.

At no time may the user who has been granted access be permitted to send e-mail as (or impersonate) the account holder.
  1. In such cases, supervisors may make requests for access through the proper e-mail steward(s) (see E-mail Stewards). Such requests must be reasonably limited in scope and time. Approval for granting access is under the discretion of the e-mail steward. Approved requests may then be sent to the IPSO whereas the IPSO may change the account password and give that password to the e-mail steward.
  2. The IPSO will create an incident document summarizing the request, the process used in obtaining the contents and any other relevant observations during the event. As soon as is practicable, the IPSO will notify the CIO of the request with a Notice of Preservation & Access.
  3. Requests will be reviewed by the President’s Staff within a reasonable time after the event at which time any adjustments to this policy can be made.
E. To Provide Business Continuity in the Event of a Death or Departure

Parents or legal guardians may request access to e-mail in the event of their child's death. If access to an account is granted, it must be for a defined and limited period of time. Prior to granting access, the account may be archived. Access requests can be made through the Dean of the College at his or her discretion.
  1. Approved requests will be sent to the IPSO at which time the IPSO will change the password and give it to the Dean of the College. All requests will be documented and may be reviewed.
  2. Students may also designate a proxy (usually a parent, grandparent or other legal guardian) to have access to their personal e-mail in the event of a medical emergency or death. Student workers may not allow a proxy to access their given employee e-mail account.
In the event of an employee’s departure from the University, access to e-mail may be granted via the procedure to continue a critical and time-sensitive business process (Procedure D) above.

All other e-mail accounts are designated and designed for Colgate business use and are the property of the University; access to these accounts may not be granted or willed to spouses, family or friends upon the account holder’s death.

E-mail Archiving Guidelines

As it is impossible for the University to anticipate every scenario involving access to e-mail, the University strives to mitigate risk by archiving certain e-mail accounts.

E-mail transmitted or stored in Colgate's e-mail system may be archived. Unless otherwise noted in this policy, the archived e-mail is not available to account holders. The length of time e-mail is stored is listed below:

Table of E-mail Archive Life*
Students Except in cases of legal matters and where otherwise noted in this policy, a student's e-mail is not automatically archived and their account is purged one year after attending the University unless they sign up for the "E-mail for Life”.

Student Workers Students employed by the University while attending Colgate may be provided with a separate e-mail account with which to conduct Colgate business. Student worker e-mail accounts may be archived during and after their employment.

Alumni Alumni are offered the opportunity to keep their student e-mail address upon graduation through a program called “E-mail for Life”. These accounts are not automatically archived and accounts may be purged immediately after an Alumni opts-out of the service except in matters where a litigation hold has been placed.

Alumni Employees Many alumni spend some part of their professional career working for the University. Those alumni who have opted-in to "E-mail for Life" may be given a new account to be used for conducting Colgate business. Both their “E-mail for Life” account and their business account may be subject to archiving during and after their employment.

General Staff

General staff e-mail accounts may be archived during and after their employment.
Executive Staff Executive staff positions and those positions which are permitted to conduct contract negotiations or make capital purchases on behalf of the University may have their e-mail archived indefinitely.

Faculty All faculty e-mail is to be archived during the professor's stay at Colgate University. Faculty e-mail may be purged ten years after their association with the University has ended.

Emeritus Emeritus faculty may retain access to their colgate.edu e-mail account. Such accounts should be used primarily for conducting business, research and maintaining a professional connection to the University. Emeritus e-mail accounts may be archived indefinitely and not purged upon the account holder's death.

*In the event of an investigation or other authorized access to an account, the account holder's e-mail may be archived from the point of time when the investigation began until, at minimum, one year after the account holder's association with the University has ended.

General Summary

As a general rule, Colgate treats all e-mail as confidential. Any attempts to access e-mail during transmission or while stored without going through the proper procedures listed above is unauthorized. Violators of this policy may be sanctioned, terminated and/or face criminal charges.

Below is a general guideline for who has authority of access to specified account types.

Summary of Account Preservation & Access
Student E-mail Student Mail The Deans of the College or Admissions are responsible for relaying requests for access to the Administrative Council. Student e-mail may be accessed in health and safety emergencies, and investigations involving (but not limited to) harassment, academic dishonesty, and breaches of the Code of Student Conduct. Student e-mail is not archived unless an authorized access has been granted. In such cases, the life and duration of the archive may vary in accordance to the legal requirements surrounding the investigation which prompted the need for access.

Student Worker E-mail The Associate VP of HR and the Deans of the College or Admissions are responsible for relaying requests for access to the Administrative Council. In addition to above, a student worker's account may be accessed for reasons of business continuity, HR investigations or litigation hold. Student worker e-mail accounts may be archived for a minimum of four years after the student graduates.

Alumni E-mail Requests for access to alumni e-mail must be sent through the VP for Institutional Advancement. As outlined in the E-mail for Life EULA, alumni e-mail is subject to the same level of confidentiality as any colgate.edu e-mail address.

Faculty E-mail Stewardship of faculty e-mail accounts is the responsibility of the Provost. In addition to what is listed in this policy, access to archived faculty e-mail may be granted to former account holders for purposes of research at the discretion of the Administrative Council. Investigations involving faculty e-mail will have two additional members taking part in the Administrative Council; the Chair of the Committee on Information Technology and the Chair of the Faculty Affairs Committee. Faculty e-mail may be archived for a minimum of ten years after employment.

Faculty Emeritus E-mail

Access requests to faculty emeritus e-mail accounts must pass through the President of the University. All faculty emeritus accounts may be archived indefinitely.
General Staff E-mail The Associate VP of HR is responsible for relaying requests for access to employee e-mail accounts to the Administrative Council. Employee e-mail accounts may be archived for a period no less than seven years after employment.

President’s Staff E-mail The President of the University is responsible for bringing access requests to the President’s Staff's e-mail accounts to the Administrative Council. Members of the Administrative Council on the President's Staff may not vote concerning the authorization to access their own accounts. All Presidential Staff e-mail accounts are archived indefinitely.

President’s E-mail The Board of Trustees is responsible for authorizing or denying access to the President's e-mail account. The President’s e-mail account is archived indefinitely.

ITS Support Staff

In the course of providing technical support, performing network security and/or maintenance (e.g., backups and restores), ITS Support Staff such as TSAs and/or Network & Server Admins may be required to access, observe, or intercept, but not disclose, reroute, or forward electronic mail messages. There are two circumstances when it is permissible for an ITS Support Staff to disclose, reroute, or forward the content of e-mail:

Emergency Exception:

Should an ITS Support Staff, in the usual course of business, reasonably believe that he or she has accessed information about an emergency involving imminent danger of death or serious injury, the following procedures should be invoked:

1. Contact Campus Safety immediately.

2. As soon as is practicable, report the incident and the underlying information to the CIO or an appropriate e-mail steward.

Responsible Use Exception:

In situations when a local support provider reasonably believes that he or she may have observed evidence of a violation of law or policy, the following procedure should be invoked:

1. As soon as is practicable, report the incident and the underlying information to the CIO or an appropriate e-mail steward.

Contacts

You may direct any general questions about this or any Colgate policy to your immediate supervisor or department director. If you have specific questions about this policy, please contact the Information Privacy & Security Officer whose information can be found at:

http://www.colgate.edu/offices-and-services/information-technology/about-its/its-staff

Enforcement

As noted in Faculty, Employee and Student Handbooks, enforcement of this policy is the responsibility of the Provost, HR and Dean of the College where appropriate.

Reporting Alleged Violations

Violations of this or any ITS policy can and should be reported immediately to the Associate VP of HR, the CIO, Dean of the College, or the Provost and may be done anonymously.

Notice of Preservation & Access Template

Below is the template to be used as the notification letter when an e-mail account has been accessed.

(Acting) Information Privacy & Security Officer, IPSO Colgate University

Date of Actual Search

Account Holder
CC: E-mail Steward, Title
CC: Chief Information Officer, CIO

A request was approved by the President of the University to preserve and access your username@colgate.edu e-mail account. Throughout this process, procedures and guidelines were followed as outlined in ITS Policy 10.1.5 to ensure the content of your e-mail remains confidential. Please contact E-mail Steward, Title @ contact information for any questions you have regarding this letter.

Sincerely,

(Acting) Information Privacy & Security Office, IPSO

Roles & Responsibilities Matrix

Table of Roles and Responsibilities
Role Responsibility

Chief Information Officer (CIO) A member of the Administrative Council and President's Staff, authorized by the University, and responsible for the maintenance and security of all electronic information resources.

Director(s) of Campus Safety, Director(s) of Health Services, Director(s) of the Counseling Center, President’s Staff Authorized in health and safety emergencies to contact ITS with requests to immediately intercept, access, and/or disclose e-mail content. When practicable, notifies the appropriate e-mail steward(s) of a request and makes an archive-able request to the IPSO.

E-mail Steward(s) Receive requests for access to e-mail, calling upon the Administrative Council for approval of such requests, and coordinating communications with account holders as to the nature of such requests when practicable.

Receive Notice(s) of Preservation & Access always to be relayed to account holders when practicable.

For a list of stewards, see the section, “E-mail Stewards”.

Information Privacy & Security Officer (IPSO) Performs authorized actions on accounts in conjunction with approved requests for content access.

Sends Notice(s) of Preservation & Access to appropriate e-mail steward(s) when practicable.

Responsible for the confidentiality, integrity and availability of University data.

Legal Counsel Receive and evaluate the authenticity of external requests for data preservation and discovery and consult with the University as to their obligations, rights and how to proceed and comply.

Requesting Party In cases of health or safety emergencies, the requesting party is responsible for making the initial request for access to the IPSO and then providing official notification, when practicable, to the appropriate e-mail steward(s).

In cases of internal investigation(s), the requesting party is responsible for justifying through probably cause the reason(s) for making their request to the e-mail steward(s) - for providing initial search terms.

Administrative Council Evaluate and approve or deny requests to have e-mail preserved and/or accessed by individuals other than the account holder, sending approved requests to the IPSO and denied requests back to the e-mail steward(s).

Authorize individuals to access accounts.

At any time, a council can be made of any four of the President's Staff.

Investigations involving faculty e-mail will have two additional members taking part in the Administrative Council; the Chair of the Committee on Information Technology and the Chair of the Faculty Affairs Committee.

E-mail Stewards

Student E-mail Dean of the College or Dean of Admissions

Student Employee E-mail Associate VP of Human Resources and Dean of the College or Dean of Admissions

Alumni E-mail VP for Institutional Advancement

Faculty E-mail Provost or Associate Provost

Emeritus E-mail President of the University

General Staff’s E-mail

Associate VP of Human Resources

President’s Staff E-mail

President of the University

President’s E-mail Board of Trustees

Decision Tree

Definitions

Account A colgate.edu e-mail address and its content.

Account Holder An individual trusted with the use of and access to a colgate.edu domain e-mail address, usually associated directly with their username.

Archive Data written or stored physically over a period of time that cannot be altered.

Confidential Limited and/or restricted to access of content by authorized individuals.

Content Substantive information or creative material viewed in contrast to its actual or potential manner of presentation; data which contains, in and of itself, enough information to convey a complete thought.

Electronic Information Resource (EIR)

Any device or network which transmits, stores, presents or manipulates data.
E-mail for Life E-mail accounts under the colgate.edu domain offered to alumni upon graduation.

E-mail Custodians

Any individual, not the account holder, trusted with access to account content.
E-mail Steward An individual entrusted with the responsibility for helping maintain the confidentiality of certain e-mail accounts with regards to this policy while upholding the values, mission, goals and security of the University.

Health or Safety Emergency

Situation(s) where the immediate physical well-being of an individual(s) is at risk.
ITS Support Staff Individuals representing ITS responsible for maintaining the functionality of and assisting users with Colgate’s electronic information resources. This staff includes but is not limited to TSAs, Network & Systems Admins, and the IPSO.

Keywords Words and/or phrases used in a data search.

Letter of Preservation A common, court-ordered request of litigation hold sent to a party in a legal dispute as a means to prevent spoliation of evidence.

Notice of Preservation & Access

A letter created by the acting IPSO and addressed to the account holder and appropriate e-mail steward(s) of entry to an account by an authorized individual(s).
President’s Staff As of this writing, the President’s Staff are:

Athletics Director
Vice President for Institutional Advancement
Vice President for Finance and Administration
Provost and Dean of the Faculty
Chief Information Officer
Vice President and Dean of the College
Vice President and Dean of Admission
Associate Provost for Equity and Diversity
Vice President of Communications
Vice President and Senior Adviser
Assistant to the President

Requesting Party

Individual(s) requesting access to an account.

Revision History

Published by Peter Setlak, March 3, 2014
Approved by CIT, February, 2014
Submitted to CIT, Kevin Lynch, CIO, January, 2014
Submitted to President’s Staff, Kevin Lynch, CIO, December, 2013 Submitted to CIO, Peter Setlak, IPSO, November 11, 2013 Submitted to Legal Counsel, Brendt Simpson, October, 2013 Approved by CIT, Patrick Crotty, June 25, 2013
Submitted to CIO, Peter J. Setlak, IPSO, June 9, 2013
Submitted to CIT, Kevin Lynch, CIO, May 17, 2013
Submitted to CIT, Kevin Lynch, CIO, May 15, 2013
Submitted to CIO, Peter J. Setlak, IPSO, March 28, 2013
Draft 0.1, Peter J. Setlak, IPSO, March 27, 2013
First Draft, Peter J. Setlak, IPSO, March 21, 2013