ϳԹ

Skip to Main Content
ϳԹ
Information Technology

ϳԹ Policy on Electronic Mail
Email Custodianship

April 27, 2010

The framework on which this work is based was provided in part by the Cornell University IT Policy Office and its Director Tracy Mitrano, and is gratefully acknowledged.

Document Statement

ϳԹ administers an electronic mail (email) system, which it must manage for the entire college community in a manner that preserves a level of privacy and confidentiality while in accordance with relevant state and federal laws, regulations and college policy. While the college permits limited personal use of the skidmore.edu email account, faculty and other employees (as well as student employees) do not acquire a right of privacy for communications transmitted on this institutional system. Any of the functions/authority/responsibility assigned to a particular position in this document may be completed by the person holding that position “or his/her designee.”

Principles

Custodians of email must not access or disclose the content of email for which they are not correspondents, except in the following situations:

A. in health and safety emergencies; or

B. in response to a court order or other compulsory legal process; or

C. when an email steward (see table 1) has determined that there is a legitimate need to examine email in connection with an investigation involving a human resources matter or a legal or policy violation; or

D. when the information is necessary to conduct time-sensitive and or critical college business. Access is tightly controlled and limited, requiring approval of both the respective senior cabinet member and the director of Human Resources and only after other alternatives have been exhausted.

Reason for the Document

To protect electronic mail from inappropriate access or disclosure and to comply with relevant state and federal regulations, laws and policies regarding the protection of certain types of data.

Entities Affected by this Document

All entities of the college.

Who Should Read this Document

All members of the college community

Procedures

Requests to Access or Disclose the Content of Email

A. Health and Safety Emergencies
In the event of a health and safety emergency, the college will access and/or disclose the content of email according to the following procedures:

    1. IT will access and/or disclose the data upon request by the director of Campus Safety, associate director of Campus Safety, administrative director of Health Services, or member of President’s Cabinet.
    2. As soon as is practicable, IT will notify the appropriate email steward(s) of the request, what data was accessed and/or disclosed and any other relevant information, such as the approximate time of the request, access and disclosure, the name and title of the requester and the nature of the emergency.
    3. As soon as is practicable, IT will notify the chief technology officer.
    4. As soon as is practicable, the requesting individual will contact the appropriate email steward(s) (see table 4), informing that individual of the request and the nature of the information received.

B. Court Order or Other Compulsory Legal Process

    1. Legal counsel will review court order to insure validity and authenticity. Legal counsel will provide instruction regarding the college’s obligations with said order.

C.  Human Resources Matters or Potential Legal or Policy Violations

    1. The requesting party must obtain permission from the appropriate email steward(s) of the email (see Table 1, below). If the requesting party is the steward identified in Table 1 (below), permission will need to be granted by the college president.
      Note: In an email file, "email correspondents" includes all individuals listed in the "To:” "From:” “cc:” and “bcc” fields. Therefore, an email may have more than one email steward.
    2. The email steward(s) must contact the chief technology officer, providing the details of the request.
    3. The chief technology officer will communicate with the appropriate staff member in IT and/or the department requesting access and disclosure of the data to the requester.
    4. The IT staff member will confidentially access and disclose the authorized data to the requester.

Table 1: Email Stewards

 

Email correspondent(s)

Email Steward

Member of the college faculty

Vice president academic affairs

Other employees

Director of Human Resources and appropriate cabinet member

Student employee

Dean of admissions and financial aid or director of Human Resources

Student

Dean of student affairs

President of the college

Chair of the board of trustees

Direct report to the president

President of the college

 

D. The Information is Necessary to Conduct College Business

I. Forwarding Your Own Email

Faculty or other employees who will be away from their workplaces for any period of time during which access or disclosure of their email may be necessary, should consider forwarding their incoming mail to appropriate parties using a forwarding rule which can be found at: www.skidmore.edu/it/email/

II. When an Email Account Holder Wishes to Authorize Access by Another Individual to His or Her Account

An email account holder may authorize access to his or her email account on a case-by-case basis. This provision does not supersede restrictions, such as the prohibition of sharing network passwords. 

This procedure must not be used for human resources matters. For requests involving human resources matters, see B: Human Resources Matters or Potential Legal or Policy Violations, above.

III. Rerouting or Forwarding Another Person’s Email

      1. The requesting party, generally the party’s supervisor or someone approved by that supervisor, must inform his/her respective cabinet member and upon approval forward to the director of Human Resources for final approval.
      2. The director of Human Resources will evaluate the request and notify the requesting party of the outcome. If approved, the director of Human Resources will send the request to the chief technology officer, who will work with any applicable department administrator who will effect the rerouting or forwarding.

IV. Accessing a Third Party’s Existing Email

      1. The requesting party, generally the party’s supervisor or someone approved by that supervisor, must inform his/her respective cabinet member and upon approval forward to the director of Human Resources for final approval.
      2. The director of Human Resources will evaluate the request, notifying the requesting party of the outcome. If approved, the director of Human Resources will send the request to the chief technology officer, who will facilitate said access.
      3. The requesting party will inform the individual that the request to access their email was made and approved, and the nature of the information received.

 

Local Support Providers: Ordinary Course of Business

In the course of providing technical support, performing network security and/or maintenance (e.g., backups and restores), local support providers may be required to access, observe or intercept, but not disclose reroute, or forward electronic mail messages. There are two circumstances when it is permissible for a local support provider to disclose, reroute or forward the content of electronic mail messages:

Emergency Exception: Should a local support provider, in the usual course of business, reasonably believe that he or she has accessed information about an emergency involving imminent danger of death or serious injury, the following procedures should be invoked:

  1. Contact Campus Safety immediately.
  2. As soon as is practicable, report that contact and the underlying information to the chief technology officer, or member of the President’s Cabinet. (See “Reporting Alleged Violations,” below).

Responsible Use Exception: In situations when a local support provider reasonably believes that he or she may have observed evidence of a violation of law or policy, the following procedure should be invoked:

  1. As soon as is practicable, reports that contact and the underlying information to the chief technology officer, or member of the President’s Cabinet. (See “Reporting Alleged Violations,” below).

Reporting Alleged Violations

Alleged violations of this policy may be reported to the appropriate individual as detailed in Table 2. Alternatively, you may also contact your supervisor, the college’s chief technology officer or a member of the President’s Cabinet.

Responsibilities

Table 2 outlines the major responsibilities each party has in connection with college email policy and custodianship of electronic mail.

Table 2

Parties Responsibilities
Director of Campus Safety
Deputy Associate Director of Campus Safety
Director Health Services
Member of President’s Cabinet

In health and safety emergencies, contact IT Technical Services with requests to intercept, access or disclose electronic mail content.

In health and safety emergencies, when data has been accessed or disclosed, notify the appropriate email steward of the request and the nature of the information received.

Member of President’s Cabinet Evaluate and approve, or deny requests to have email rerouted or forwarded.

Send approved requests to reroute or forward email to the chief technology officer, who will effect the rerouting or forwarding.

Director of Human Resources Evaluate and approve, or deny, requests to access or disclose electronic mail content in the cases of a human resource matter or potential policy or state and federal legal violation.

Contact the chief technology officer with requests to reroute, forward, intercept, access or disclose the content of email.

Local Support Provider Access and disclose specific email messages in cases when information is necessary to conduct college business and the correspondent is unavailable.

Access, observe or intercept the content of electronic mail messages only when performing network security and maintenance functions (e.g., backups and restores).

In the usual course of business, disclose, reroute or forward the content of electronic mail messages only in the following situations:

a) in an emergency involving imminent danger of death or serious physical injury; or

b) when evidence has been observed of a potential violation of law or policy.

In emergencies involving imminent danger of death or serious injury, contact Campus Safety immediately. Report that contact to the chief technology officer or member of the President’s Cabinet as soon as possible.

Enterprise Systems, IT

In health and safety emergencies, and upon notification by the appropriate college official, access and disclose requested data.

In health and safety emergencies, when data has been accessed or disclosed, notify the appropriate email steward of the request, what data was accessed or disclosed and any other relevant information, such as the approximate time of the request, access and disclosure, the name and title of the requester and the nature of the emergency.

In health and safety emergencies, when data has been accessed or disclosed, notify the chief technology officer or member of President’s Cabinet.

Chief Technology Officer

After appropriate permission has been granted by member of President’s Cabinet, communicate with appropriate staff to initiate interception, access or disclosure of electronic mail content.

When interception, access or disclosure of electronic mail content has occurred, inform the individual about whom the request was made of the request, access and disclosure, where possible and appropriate.

Requesting Individual

In cases of human resources matters or potential legal or policy violations, obtain permission from the appropriate email steward(s) for rerouting, forwarding, intercepting, accessing or disclosing the content of email.

In cases when the information is necessary to conduct college business and the correspondent is unavailable, inform Human Resources, department head, college dean, or vice president at the time of the request; work with the local support provider to obtain the specific mail messages; and inform the correspondent of the request that was made and of the nature of the information received. In a health or safety emergency, please see “Definitions: Health and Safety Emergency.”

Definitions

Definitions apply to terms as they are used in this document.

  • Access: The ability to obtain email content.
  • Correspondent: Any individual listed in the “To:” “From:” “Cc:” or “Bcc:” fields in the header of an electronic mail message
  • Custodian: An individual with access to electronic mail data on electronic mail systems.
  • Disclosure: The act of releasing the content of electronic mail to a third party (e.g., through accessing, intercepting, forwarding, rerouting, etc.)
  • Email: Electronic mail messages and their associated attachments in a mail user agent (MUA). Note: When data contained in an email message or attachment has been printed or stored outside of the MUA, it is no longer considered email.
  • Email steward: The individual, other than a correspondent, with the authority to grant permission for the disclosure of electronic mail content
  • Health and safety emergency: A situation involving an imminent threat of death or serious injury to any person or structure.
  • Local Support Provider: An individual with principal responsibility for the installation, configuration, security and ongoing maintenance of an IT device.
  • Mail User Agent (MUA): A program, application or method used to store, transmit or receive email.

Contacts

Direct any general questions about college email policy custodianship of electronic mail to your department chair or director. If you have questions about specific issues, call the offices listed below.

Subject Contact Extension
Document Clarification and Interpretation Dwane Sterling, CTO x5909
Policy Violations    
For staff

Sarah Vero

Interim Chief Human Resources Officer 

x5809
General Dwane Sterling, CTO x5909

Related Documents