Email Use Policy (Policy 91)

Purpose

Governors State University (“GovState” or the “University”) provides email services as a tool to facilitate communication in service to its mission. The purpose of this policy is to augment and supplement other University policies, to describe permitted uses of University email, and to describe when certain email features are required to be used. 

Compliance with this Policy is essential to improving email communications, ensuring the security and privacy of University data, protecting the University’s reputation, and ensuring compliance with established regulations and legal and other obligations.

1. Communication Devices – refers to GovState-owned devices, such as cell phones and computers, as well as to email servers or systems. 
2. Email – Communications, including but not limited to messages and attachments thereto, distributed via electronic means using an Official Account or other account maintained by GovState such as a group account. 
3. Freedom of Information Act (FOIA) – Illinois statute (5 ILCS 140/1 et seq.) regarding the definition, handling, and disclosure of public records. 
4. Information Security – Actions, rules, and controls that serve to protect the confidentiality, integrity, and availability of data. 
5. ITS – The GovState Office of Information Technology Services. 
6. Malware – Any unauthorized computer application which serves a nefarious purpose. Viruses and spyware are examples of malware. 
7. Official Email Account – A Microsoft 365 email account assigned to an individual User or group of Users by GovState. 

8. Public Records – Shall have the meaning ascribed in the Illinois State Records Act, as it may be amended from time to time and as now includes Email: 

   made, produced, executed, or received by any agency in the State in pursuance of State law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its successor as evidence of the organization, function, policies, decisions, procedures, operations, or other activities of the State or of the State Government, or because of the informational data contained therein. Library and museum material made or acquired and preserved solely for reference or exhibition purposes, extra copies of documents preserved only for convenience of reference, and stocks of publications and of blank forms are not included within the definition of records as used in this Act.

9. User – A person assigned a GSU email account, including but not limited to University employees (current and, where permitted to retain it, former/retired employees), students, third party contractors, and any other person granted a GSU email account address.
10. Other Capitalized Terms used herein shall have the meaning ascribed to them in 89 – Data Classification.

1. Scope
   1. It is the responsibility of all Users to review and follow all University policies. Failure to comply with this policy may result in disciplinary actions, up to and including termination, costly data breaches, breach of privacy expectations, and damage to the University’s reputation.
   2. GovState provides Official Email Accounts via the Microsoft 365 service using the govst.edu and student.govst.edu domains. Third party services and applications may be configured to send email using GovState domains with appropriate approval, which shall be contingent upon compliance with this Policy as though such email were sent from an Official Account.
   3. All Users are subject to this policy when utilizing an Official Email Account to send or receive email or when using a Communication Device to text, to receive voicemail, or to send or receive email via an Official Email Account.
2. Privacy of Email
   1. Email is subject to search, review, and production, including to third parties, for any number of reasons, including but not limited to searches: in response to litigation discovery requests, a subpoena, or civil investigative demand; in response to an internal or external complaint, inquiry, or investigation into University operations; in response to a FOIA request; and in connection with an internal investigation of reported or suspected wrongdoing.
   2. Users have no expectation of privacy when using an Official Email Account or Communication Devices to send or receive emails from an Official Email Account, to send or receive texts from a Communication Device, or to receive voicemails on a Communication Device, nor do Users have an expectation of privacy in account records (e.g., call logs) relating to Communication Devices.
   3. Use of a password or encryption for an Official Email Account, or on a Communication Device does not create an expectation of privacy and does not diminish the public nature of GovState emails or of texts or voicemails stored, sent, or received using a Communication Device.
3. Official Email and Acceptable Use
   1. All students and employees of the University are assigned an Official Email Account. University business conducted via email shall be transmitted only via an Official Email Account. Employees shall not use any personal or non-GovState issued email account for GovState business or to transmit University data. Emails inadvertently sent to or from an employee’s non-GovState email account regarding GovState business shall be forwarded by the User to the User’s official GovState account as soon as the User discovers the error.
   2. Users are responsible for regularly monitoring their Official Email Account and any Official Email Account for which they are responsible. All Users shall be presumed to have received all Email messages sent to their Official Email Account and are responsible for reading those communications.
   3. Personal use of an Official Email Account is not permitted, except for de minimis use. De minimis use may include occasional, sporadic use that does not interfere or detract from the performance of work responsibilities and is not illegal or in violation of University policy, such as the engagement in prohibited political activity.
   4. Retirees and emeriti are bound by this and other applicable policies, and it is the responsibility of the individual to familiarize themselves with and adhere to applicable policies, standards, and procedures.
   5. Special-use and department email accounts and email aliases may be requested by submitting a ticket at help.govst.edu or sending an email to help@govst.edu.
4. Email That Constitutes University Records
   1. Email may constitute a public “record” within the meaning of the Illinois Records Act as it may convey approval or denial of a decision, contain evidence of receipt or expenditure of funds, document the official position of the University, or otherwise evidence the official transaction of the business of the University. Therefore, it is important for Users to identify Emails that constitute Records.
   2. Email may constitute a public “record” within the meaning of the Illinois Records Act as it may convey approval or denial of a decision, contain evidence of receipt or expenditure of funds, document the official position of the University, or otherwise evidence the official transaction of the business of the University. Therefore, it is important for Users to identify Emails that constitute Records. Employee Users are required to preserve Email that constitutes a Record pursuant to the Illinois Records Act and University policy and practice, including the University’s Records Schedules by Department found on the GovState portal.
5. Transmission of Sensitive Data
   1. Use of Email to communicate Restricted or Internal-Only data (89 – Data Classification) to external third parties are strictly prohibited without the use of email encryption.
   2. It is the responsibility of all Users to review the information on how to use email encryption features. Instructions on the use of encrypted email are available in the ITS Tutorials Library.
   3. It is the responsibility of all Users to review and follow the Information Security Policy, Data Classification Policy, and other applicable policies, standards, and procedures.
6. Email Security
   1. ii. iii. It is the responsibility of all Users to report email incidents to the ITS Office of Information Security. Email incidents include, but are not limited to, all types of phishing attacks, unauthorized access, or changes to an Official Email Account by a third party, accidental data disclosure to unintended parties, and all types of email threats of potential harm to person or property.
   2. Report email incidents by submitting a ticket at help.govst.edu or sending an email to help@govst.edu. Any real or perceived threats to persons or property should be immediately reported to 911 or Campus Police.
   3. Users are encouraged to report phishing and spam using the appropriate tools included in the desktop and web versions of Outlook provided by the University.
   4. Users are required to take any and all mandatory training issued by the University regarding Email (or more generally, data) security. Failure to timely take such training may result in disciplinary action, including but not limited to restricted access to Email and other GovState systems and termination.
   5. GovState uses technology systems that scan Email for Malware and sensitive content and enable Users to search their own emails. These systems may present a warning or prevent a message from being sent or received if triggered.
   6. Sharing credentials, including credentials to Official Email Accounts, is strictly prohibited. If multiple users require access to a single email account, delegated permissions must be used.
   7. Email should only be accessed using approved email client software. For Users, currently approved software is limited to Microsoft Outlook for Windows, Mac OS, iOS, and Android, as well as Outlook.com via any supported web browser.
   8. Accessing Email on a personal device should be minimized and may be restricted by other policies.
   9. If used for official University business, or storing or transmitting University data, Communication Devices may have security settings automatically applied, including encryption, authentication requirements, minimum operating system requirements, and the ability for the University to remotely lock and erase the device.
7. Email Forwarding
   1. Manual or automatic forwarding or moving University email that contains non public information as defined by the GSU data classification policy, to any destination, internal or external, other than where it was originally sent is only permissible for valid business purposes and where appropriate security controls such as encryption are in place.
   2. In addition, any records (including emails) that relate to the transaction of University business (i.e. public records) are subject to the Illinois Freedom of Information Act (FOIA), regardless of whether those records are stored in GSU or non-GSU email accounts.
   3. If an employee forwards, transacts, or otherwise transfers their University e mail to non-GSU email accounts, those other accounts become subject to searches in response to FOIA requests.
   4. Routine, automatic email forwarding is discouraged. Please contact ITS to determine if a more appropriate alternative process is available.
8. Email Content Policies
   1. The University’s Department of Marketing and Communications establishes certain requirements regarding the content of Email including:
      1. Standardized rules for the appearance and content of signatures and other email components.
      2. Protocols for complying with accessibility requirements and best practices.
      3. Internal and External mass communications.
   2. Refer to policies, procedures, and standards established by Marketing and Communications, or contact that department for additional information.