Email has become the primary method of written communication across Pacific. As the security of records and information is a mission-critical task, it is imperative Pacific employees use email in a manner consistent with best and secure business practices.
University emails may contain sensitive information regarding students, employees, or other private information. They may contain information that is confidential or proprietary to the University as a whole, or which the University is obligated to maintain in confidence pursuant to contract or regulation. Additionally, the University is obligated to comply with the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), among other legal duties. These compliance obligations, as well as the requirements of business continuity and efficiency, require Pacific to take steps to ensure that all email for University business is conducted in a sufficiently secure manner.
The use of personal email accounts for conducting University business significantly degrades the effectiveness of information security protocols at Pacific, and can place the University and individuals out of compliance with relevant legal and regulatory requirements. Pacific's internal email systems are protected and secured in a number of ways that personal email accounts generally are not. Personal email accounts containing University records may, as whole, become subject to review in compliance, claim or litigation settings, and the review and capture of University records from such accounts can represent significant costs to the University.
Additionally, recipients of email communications from Pacific employees acting within the scope of their duties should clearly know the identity, source, role and contact information of the email's author. The University's brand and identity are reflected in its communications, and a uniform approach to signature blocks demonstrates a consistent, professional, and credible message to email recipients.
This policy applies to all University of the Pacific employees, contractors, and volunteers, including faculty, staff, coaches, administrators, students and temporary employees, who have access to Pacific's information technology based email resources.
As used in this policy, the following terms are defined:
1. "Doing the business of the University" and "University business" refer to actions taken pursuant to the scope of one's duties or responsibilities as an employee or contractor of University of the Pacific. It also refers to actions in which one is receiving, transmitting or storing information made available or accessible as a result of such duties.
2. "Users" refers to all University of the Pacific employees, contractors, and volunteers doing the business of the University, including faculty, staff, coaches, administrators, student employees and temporary employees.
3. A "University-issued email account" (e.g., email@example.com) is the email account provided by the University in connection with one's employment, contractor or volunteer status, consistent with other email-related policies.
4. A "personal email account" (e.g., firstname.lastname@example.org, @gmail.com, @[private email server].com) is an email account other than a University-issued email account, often maintained by an individual for personal reasons or for business purposes other than those associated with University business.
5. "Spam" is unsolicited, undesired, or illegal messages in general (private messages on websites, sms, messenger etc.
6. "Phishing" is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
1. University business conducted via email must be conducted using the University -issued email account at all times and in compliance with other communications-related policies.
2. All Users will be given a University-issued email account (e.g. email@example.com) for conducting University business whenever appropriate for the role of the User.
3. All Users should establish an email signature block consistent with samples to be made available from business units, colleges or departments, which clearly state the User's name, title, and contact information. These signature blocks shall be used at all times when the University-issued email account is used and should be used on every device on which one conducts University business. Signature blocks should produce consistent, clearly-formatted content, readable in all relevant formats (e.g., html, text). Quotations or other embellishments, including graphics, which are inconsistent with the University's samples and the University's non-profit educational mission, branding and identity, or which may appear to endorse a political party or candidate or religious affiliation, may not be used. For faculty, the Provost's office will resolve any questions regarding this standard, and for staff it shall be Human Resources.
4. Users may not automatically redirect or forward email from a University-issued account to any other email account(s) that are outside the University.
5. Users may not direct others (e.g., other University employees, third parties, vendors, students) to Users' personal email accounts, in order to communicate for purposes of conducting the business of the University.
6. Users are responsible for protecting confidential information contained in email, including student records, employment records, HIPAA, FERPA, personal health information (PHI); Payment Card Industry data (PCI) and all other forms of regulated, proprietary or sensitive data. This applies also to information which is "at rest," or otherwise stored in any manner by the User, which is the subject of Information Security Policy. Tools such as encryption will either be made available by Pacific Technology or approved by Information Security but the User is ultimately responsible for understanding and meeting confidentiality requirements.
7. Occasional and incidental use of Pacific email for personal purposes is considered acceptable as long as such use does not interfere with Pacific business and the content is within the professional standards required of Pacific personnel.
8. There is no expectation of privacy within the Pacific email system, including for personal email. The University may, at its option, scan email using various technologies to identify information security issues such as unencrypted regulated data, links to malicious websites, and documents with malicious software. Email that presents an information security risk, such as phishing attempts, may be removed from accounts without user notification. For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the Office of the General Counsel may authorize the reading, blocking, sequestration or deletion of data contained in the Pacific email system. In some circumstances with the consent of the Office of General Counsel, the University may grant supervisors or others access to the email boxes and data records of Users who are former employees or former volunteers.
9. If Users store University business-related information in personal email accounts, computers, servers or other media, these data sources may be the focus of review and data collection in regulatory, claim or litigation settings. If Users store such data in violation of this policy or the Computing and Communications Confidentiality Policy [LINK] or other similar policies associated with the confidentiality of information, Users may be subject to discipline up to and including termination, consistent with the User's position and associated disciplinary policies. Similarly, contractors may be subject to removal from a contract for services or termination of a related contract. In addition, incidental costs associated with storage of data in violation of this policy, including e-Discovery, data recovery or related compliance costs, may be charged to the User's department, academic or administrative unit, or sought to be recovered from a contractor or volunteer who violates this policy.
10. Pacific email accounts are not to be used for sending of bulk email inside or outside the University. Pacific email accounts will have limits on number of emails sent within a designated time period and number of recipients included in a single email as required to mitigate security problems such as phishing and spam. Refer to the Electronic Mass Communications Policy for rules governing bulk email distribution.
11. Access to University-issued email accounts in the name of an individual are not to be shared with other users unless a delegation request has been made and approved. Users are prohibited from impersonating any other person or group through use of an email account or modification of email headers or other characteristics to deceive recipients.
12. Shared accounts such as for departments or business functions will be accommodated but require a designated User who is a current employee and will be responsible for managing the account.
13. Email account privileges are a function of employment or volunteer status of the individual. While the University reserves the right to suspend or revoke email privileges at any time and without notice consistent with this and other policies, the policy governing those privileges in post-employment situations is outlined below, with exceptions granted on a case-by-case basis with supporting business justification as described below
a. Staff and volunteers – Staff employees and volunteers will have email privileges removed effective on their last worked day.
b. Faculty who leave before retirement – Faculty (whether tenure track or non-tenure track) who leave employment by the University before retirement may keep their University-issued email account for four months from the end of the last month in which they taught.
c. Retired Faculty – During their lifetime, faculty who have retired from the University will be permitted to retain their email privileges if their account remains active. "Active" in this sense will mean that a User has logged onto the email account within a 180 day period.
d. Temporary employees such as students and contractors will have email privileges removed effective their last worked day or contract termination, whichever comes first.
e. In any circumstance, the University may suspend or revoke email privileges of any User who is no longer employed by the University.
a. Granting of an Exception - Exceptions to this policy will only be granted if an appropriate justification for the exception is approved and the person responsible for that area of information management, the appropriate Information Administrator and the academic or unit leader (VP, dean, etc.), accepts the additional risk and/or responsibilities posed by the exception.
b. Applying for an Exception - To apply for an exception to this policy, the requestor will prepare a written request for the exception (email is acceptable), along with a justification, and deliver the request to the Chief Information Security Officer (CISO). The CISO will work with the requestor, appropriate unit IT personnel and the academic or unit leader to explore whether there is an alternative that complies with current policy.
c. Arbitrating a Denial - If the matter cannot be promptly resolved to the satisfaction of all parties, the request for exception will be presented to the full Information Strategy and Policy Committee (ISPC) along with appropriate analysis by the University IT Security Officer and unit IT leadership. The CIO with advice from the ISPC is the final arbitrator of all requested exceptions to security policies. The University Information Security Office will maintain a record of all exception requests, their resolution and any accompanying documentation. This record will be made available to the ISPC to assist in the review and revision process for these policies.
It is the responsibility of each User to understand their privileges and responsibilities under these and other Information Technology Policies and to act accordingly. Users failing to abide by these policies may be subject to corrective action up to and including, dismissal, expulsion, and/or legal action by the University. While technical corrective action, including limiting user activity or removing information, may be taken in urgent situations by authorized Information Technology staff, other corrective action, technical and/or non-technical, will be taken in accord with this and other applicable University policies and procedures. Contact Information
Contact IT Security
Information Management Policy
Acceptable Use Policy
Electronic Mass Communications Policy
Computing and Communications Confidentiality Policy