(1) Email provides a channel for members of the University community to interact with one another, business, government and students. It can be used effectively to further the vision, mission and goals of the University by sharing information and exchanging ideas. However, the same protocols, courtesies, lines of management and approvals apply to email as they do to hard copy communications.
(2) This policy provides a framework for the appropriate, effective and efficient use of University email resources. In addition to general usage principles the policy also addresses the issues of privacy, confidentiality and security. Use of University email resources is also subject to the IT Acceptable Use of Resources Policy and must be consistent with all relevant University policies including the Code of Conduct - refer to the Associated Information page for more information.
(3) Where email is sent and received by an employee who is acting in their University capacity, it forms part of the official record of the University. Record-keeping and archival policy and procedures ensure that accountability, audit requirements and the requirements of the State Records Act, 1998 are met. The deletion of emails sent or received by a member of staff in the performance of their duties as an employee of the University must conform to the minimum retention requirements issued under the State Records Act, 1998.
(4) Email is subject to the laws and protocols applying to other communications including copyright, breach of confidence, defamation, privacy, contempt of court, anti-discrimination legislation, the creation of contractual obligations and criminal law. Emails can be accessed under the Government Information (Public Access) Act, 2009, or through an order of a court or tribunal. A listing of relevant legislation is provided on the Associated Information page. The immediacy and convenience of email and the ability to use it to contact a wider group of people can also make it easier to inadvertently breach the law. It is important to note that even deleted emails can be forensically retrieved.
(5) The University acknowledges that the use of email can increase pressure on workplaces through the large number of emails sent to some staff and the expectations of an immediate reply. Staff are not expected to respond to emails outside of normal work hours.
(6) This policy does not address the ownership of intellectual property stored in or transmitted via email which is governed by the Intellectual Property Policy.
(7) For the purpose of this policy:
a. Commercial Email - is an email that:
i. offers, promotes or advertises goods and services (including educational services),
ii. originates from, or is sent to, a location outside the University network,
iii. is sent to a person who has not consented to receiving the email or emails of that type from the sender, and
iv. is sent to an address, other than the address of:
a current student,
a former student,
the household of a current student; or
the household of a former student.
b. Email - means a message, including any attachments, in an electronic format that is sent from one user to one or more users via a computer network using an email protocol (e.g. SMTP IMAP, MAPI, POP).
c. Digital Signature means an electronic code used :
i. to authenticate the identity of the sender of the email or document ; and
ii. to confirm the email or document has not been altered since it was digitally signed.
d. Mailing list - means mailing lists hosted on servers using specialised mail list software to process incoming and outgoing messages. This policy does not address personal mail lists created in your local email software.
e. Spam is an email that:
i. is unsolicited,
ii. is sent to a large number of email addresses; and
iii. does not relate to University business, or.
iv. is defined as spam under the Spam Act, 2003
f. University - refers to the University of Western Sydney.
g. University Email - includes emails, regardless of whether the content relates to University business or is of a personal nature, where the email is:
i. sent or received using a University Email Server (including emails downloaded or redirected from a private ISP);
ii. addressed to a University Email Address, or
iii. addressed as coming from a University Email Address,
iv. but does not include spam.
h. University Email Address - means an email address that includes a domain name of the University or one of its related entities (e.g. email@example.com).
i. University Email Resource - means any University Information System used for the purpose of receiving, transmitting, storing or sending an email or attachment.
j. University Email Server - means a computer that is owned or operated by the University and is used to manage, store, route or transmit email generated by or sent to other computers within the University network.
k. University Information System - means:
i. any system designed or intended to be used for the purpose of the storage or transmission of electronic data that is owned by, operated by or under the control of the University; and
ii. anything designed or intended to be used in connection therewith and includes a University Email Server, a University Email Address, an email list, IP address, domain name, Internet connection, intranet, computer software, computer hardware, computer network or telecommunications device.
l. User - means any person allocated a University email account.
(8) This policy applies to all users of University email accounts.
(9) This policy applies to emails, the contents of emails, electronic attachments to emails and transactional information associated with such communications.
(10) All University staff and students, and some associates of the University are provided with access to an individual University email account for the purpose of sending and receiving official emails related to the business of the University or the student's enrolment and program of study with the University.
(11) The University distributes important information, formal notices and other official communications via University email accounts and expects staff and students to check their account and read their University email regularly. It is recommended that all users check and read their email daily, where practical.
(12) When using University email resources, as with all other forms of communication, it is expected that users will respect confidentiality, privacy and legal/professional privilege and ensure that the content and distribution of emails will not undermine responsibilities in regard to these requirements. It should be noted that unnecessary dissemination of email drastically increases the likelihood of a breach in this regard.
(13) Users are also expected to ensure that their usage is legal and complies with all relevant University policies and procedures in particular those governing record management. A list of key statutes and policies is provided on the Associated Information page for this policy.
(14) The University's email resources are not to be used to broadcast unsolicited personal views on non-University related matters. Any public comment or representation as a spokesperson of the University must be made in compliance with the provisions of the University's Media Policy and the Code of Conduct.
(15) Users must not use University Email Resources in a manner that includes language that constitutes unlawful discrimination, including vilification, or in a manner that intimidates, offends or humiliates any person contrary to the University's policies on harassment, vilification and bullying.
(16) Use of University email resources for any private commercial activity or external private work is prohibited except where the University has specifically granted exemption from this restriction in accordance with the External Work Policy.
(17) Staff must use their University email address and provide their University identity when sending official University correspondence via email and must place these emails in the University's records.
(18) Official correspondence to students must be sent to students' University email addresses, although copies may also be sent to students' personal addresses.
(19) The University permits limited personal use of University email accounts on the proviso that such use is legal, consistent with all relevant University policies and does not interfere with or conflict with University business. Users should note that personal emails remain subject to the provisions of this policy and as such may be accessed in accordance with the relevant procedures. Having regard to this and the general insecurity of email, the University strongly recommends users utilise non-University email resources for confidential or sensitive personal communications.
(20) The Chief Information and Digital Officer or nominee may grant access to email records to appropriate University employees for business purposes, strictly in accordance with the procedures in this Policy.
(22) Access to and use of the University's Email resources is a privilege accorded at the discretion of the University. The Chief Information and Digital Officer or their nominated delegate may temporarily deny or restrict access to its email resources by a user when necessary to:
a. prevent a breach of law, or
b. prevent a breach of a University policy, or
c. conduct an investigation into a potential breach of the law or a policy, or
d. maintain the integrity of the University Information System.
(23) A breach of this policy may be dealt with as a breach of discipline and dealt with in accordance with the relevant employment agreement and/or University policy.
(24) The University endeavours to maintain the security of University email, whether of a business or personal nature, but it cannot guarantee confidentiality or undiscovered interception or alteration of communications by third parties. Current email transportation methods cannot be regarded as secure. Email forgery can and does occur. To prevent the misuse of email, users should:
a. verify the authenticity of email that suggests an unusual course of action;
b. not use emails to communicate sensitive personal, commercial or other information;
c. use their own passwords and email accounts and not permit others to use them;
d. not look at other people's emails without their consent;
e. be aware that by sending messages to open groups their email address will become public; and
f. be aware that forwarded messages can be changed from the original.
(25) In order to efficiently manage the University Email Servers, the University monitors server performance and retains logs, backups and archives of emails sent or received through the server. Even if an email has been deleted by a user, the University may still retain archived andor backup copies of the email. Only staff approved by the Chief Information and Digital Officer may examine such records, and only for the purposes of this policy, as required by law or for ensuring the confidentiality, integrity and availability of the University Information Systems.
(26) As part of monitoring the system the University may limit:
a. the size of individual emails sent using University Email Resources,
b. the total volume of email sent using University Email Resources, and
c. the amount of email retained on University Email Resources.
(27) The University may block emails that are determined by the University and/or its security and email monitoring software to:
a. contain attachments of a type that can carry malicious computer code,
b. possibly be spam,
c. possibly contain malicious computer code andor
d. contains demeaning or threatening language,
e. is contrary to University policy.
(28) Further detail about the monitoring of University email is contained in the Workplace Surveillance Policy.
(29) Users should not use University email resources in a manner that could reasonably be expected to directly or indirectly cause excessive strain on any part of the University Information System, or unwarranted or unsolicited interference with others' use of the University Information System. This would include use that consumes a large amount of bandwidth (e.g. through the use of large attachments) or the distribution of screen savers, games, spam or the like.
(30) Any surveillance must be conducted in accordance with the University's Workplace Surveillance Policy and the Workplace Surveillance Act 2005.
(31) The Chief Information and Digital Officer may formally delegate any responsibilities, powers or duties assigned under this policy to another person or persons.
(32) The University provides directories of email addresses ("University Email List"). These are important to our ongoing work and their integrity and usefulness must be preserved. There are three types of mailing list:
a. A General Email List may be established for all, or a defined sub-set, of the University population. Membership of the list is mandatory for members of the University population who fall within the defined membership of the list. It does not include lists established by Schools or Units for communications to their own staff.
b. Unit Email Lists may be established by any unit for communications to its own staff.
c. Special Interest Email Lists may be requested by any user for the recurrent dissemination of information relating to the functions of the University to the subscribers. Membership of such lists is voluntary.
(33) General Email Lists:
a. can only be established with the permission of the Chief Information and Digital Officer.
b. will be moderated by a person approved by the Chief Information and Digital Officer.
c. members can only unsubscribe from the list with the permission of the moderator.
d. only emails that are approved by the Moderator or the Chief Information and Digital Officer may be sent via a General Email List.
(34) Unit Email Lists:
a. can only be established with the permission of the Unit Head or their delegate.
b. will be managed by a person approved by the Unit Head or their delegate.
c. members can only unsubscribe from the list with the permission of the Unit Head.
(35) Special Interest Email Lists are subject to the following:
a. No person may be included in the list unless they have subscribed to it. This does not prevent the use of a list to send an unsolicited email containing an invitation to join the list to one or more people provided that the email clearly states that the person will receive no further emails unless they elect to join the list.
b. Subscribers have the right to unsubscribe at will.
c. Only subscribers to the list, or a person who has been authorised by the Chief Information and Digital Officer, can send emails via the list. This does not prevent a person asking a subscriber to the list to send an email on their behalf, however, the subscriber is responsible for ensuring that any such email complies with this policy.
d. The List Owner must provide a list of the subscribers to the Chief Information and Digital Officer when requested to do so unless this would reveal sensitive personal information (as defined in the Privacy and Personal Information Protection Act, 1998) about a subscriber.
e. List Owners must remove a subscriber from the list where the subscriber has used the list in a manner contrary to law or the University's policies.
f. List owners must create a meaningful list title.
(36) All University Email Lists are subject to the following:
a. The content of emails sent using the University Email Lists must relate to the business of the University or further the vision, mission or goals of the university.
b. Staff must not provide external organisations with copies of University Email Lists.
c. The transmission of unsolicited email should only occur where the recipient can be identified as having a high probability of having a particular interest in the subject matter. If a recipient indicates that they do not wish to receive further messages on a topic, or from an individual or group, no further messages should be sent unless the message is sent as part of a General Mailing List.
(37) This Part deals with circumstances under which access may be provided to the contents of a University email account assigned to another user. While it is highly unlikely that a student may need to access the email records of another user, the same procedures will apply, if a genuine need can be established.
(39) The main circumstances under which such access could be provided would be where there is evidence that email is being used for malicious purposes or where there is a serious and imminent threat to University property or individual safety. The University Privacy Management Plan provides a formal complaint procedure where a person believes that there has been or will be a breach of their privacy. The University investigates these complaints with oversight by the NSW Privacy Commissioner.
(40) While the University allows reasonable personal use of its email system users are strongly advised to use other email providers if they have concerns about personal content being accessible in the University's systems. Organising email folders so that personal email is not interspersed with University related email could also help to protect privacy.
(41) Emails dealing with University business are University records. As such, staff are obliged to ensure these emails are placed on formal University files (such as TRIM), preventing the need for access to the user's email account. Staff who will be absent from the University must ensure that information held in their email accounts that is relevant and necessary to conducting the University's business is accessible to those having a need for it.
(42) Access to a user's email records, albeit for official business purposes, must be regulated to protect the privacy of individuals. The following procedure aims to maintain the integrity and privacy of email accounts but at the same time enable legitimate access to official University information in the absence of the user concerned.
(43) The Chief Information and Digital Officer, or nominated delegate, may provide a staff member with copies of (or extracts from) official University emails sent by or to another user, and/or access to email logs, where the user has consented to making the information available, or in the following circumstances:
a. the applicant staff member requires access to the email or logs, as part of their duties as a University staff member;
b. the email content is related to the business of the University and would be regarded as 'University records';
c. all reasonable efforts have been made to inform the user of the application and obtain their consent to the access;
d. the information in the email account cannot be reasonably obtained by any other means (e.g. via TRIM); and
e. the need for the information cannot wait until the user is able to be consulted.
(44) A staff member may apply to the Chief Information and Digital Officer or their nominated delegate for access to an official email account in accordance with this Part. The application must address the points in the previous clause and the relevant Dean /Director, University Research Centre, Director, School Manager or more senior officer must endorse the application.
(45) In considering the application, the Chief Information and Digital Officer or their nominated delegate should ensure that only the least perusal of contents and least action necessary to comply with the application occurs and that any content not relevant to the business of the University or containing personal information relating to any person is deleted from the information provided to the applicant.
(46) The Chief Information and Digital Officer or their nominated delegate will also forward a notice to the user of the action taken and provide advice of the information that has been released. If the user believes the action taken with respect to official University information was inappropriate, they should initially raise the matter with their supervisor, Dean , or the relevant Deputy Vice-Chancellor. The University's complaints procedures are also available if the matter cannot be resolved. If the user is of the view that their privacy has been breached by this action they may request an Internal Review in accordance with the Privacy Management Plan.
(47) In order to provide access to an email account, the Chief Information and Digital Officer or their nominated delegate, or Information Technology and Digital Services Staff appointed by the Chief Information and Digital Officer or their nominated delegate, may examine all the emails of the user in order to determine the correct email records and whether the information contained in the application relating to the email is accurate. Any personal information that may be inadvertently found during such examinations must be kept strictly confidential.
(48) Occasionally, the University's Information Technology and Digital Services receives requests from staff seeking verification that an email has been sent or received by a nominated University student email address. Such requests should be emailed to the IT Service Desk, and include the information necessary to enable the transaction to be traced.
(49) In these cases the CIDO (or nominee) will normally advise:
a. Whether the email described was sent or received by a nominated University student email address at the date and time indicated; and
b. In the case of mass email messages, whether the email has been marked as opened.
(50) From time to time University staff may engage in the sending of commercial emails that offer goods or services from the University. The full definition of what constitutes commercial email is contained in the definitions (Section 2). All Commercial Emails are governed by the Spam Act, 2003.
(51) A Commercial Email must contain:
a. the university's name, logo and contact details, or
b. the email author's name and contact details; and
c. a statement to the effect that the recipient may use an electronic address specified in the email to send an unsubscribe message.
(52) Staff sending Commercial Emails must ensure that the unsubscribe facility specified in the email is functional and requests are acted upon.
(53) Commercial Email must not be sent to a person who has submitted an unsubscribe request.
(54) University staff must not use email address harvesting software or an email address list that has been produced using such software. For this reason, care must be taken when using email lists provided by sources outside the University.
(55) By law, digital signatures can have the same legal status as written signatures. Staff must not use digital signatures in place of written signatures without authorisation from the Chief Information and Digital Officer.
(56) Attachments must be in a format that can be read by a readily available program for which the University holds a licence in order to ensure that they can be read in the future. This means that documentary attachments (not including spreadsheets, databases and the like) should be in ASCII, TXT, RTF, DOC or PDF format.
(57) Official emails must only be encrypted and sent using software approved by the Chief Information and Digital Officer.
(58) Emails, including emails of a private or personal nature, are regularly backed up and/or archived by the University. It is not feasible to separate private or personal email from this process. Nothing in this policy prevents such backups or archiving. Requests for copies of backed up or archived emails will be treated in the same way as requests for copies of the original email.
(59) Information Technology and Digital Services is not obliged to provide a user with copies of personal emails that it has backed up or archived although all reasonable efforts, within the constraints of Information Technology and Digital Services's resources, will be made to comply with such a request.
(60) The following information is provided as a guide to facilitate efficient use of University Email Resources.
(61) Users should:
a. determine the appropriate person to whom an email is to be sent. Forwarding emails to a number of people can lead to uncertainty as to the responsibility for action, double handling, wasted time, lost information, delayed responses and general frustration.
b. keep emails within their appropriate channel of decision making as this promotes efficient and effective management.
c. address the email only 'TO' those people who are required to take some action in the matter. The 'CC' field should be used for those people to whom the email is sent only for information purposes; or
d. include an appropriate note in either the subject or at the beginning of the message where an email is being sent for information purposes only. This can be done either by stating that the message is "For your information" or "No action is required on your part".
(62) Users should:
a. ensure that the subject and content of an email is concise and meaningful.
b. avoid sending single emails covering multiple unrelated matters.
c. ensure that the tone and content of an email is consistent with the professional tone and practices appropriate to University communications.
d. identify themselves clearly in all University Emails that they send. For example staff should consider including include their name, job title, telephone numbers and physical address at the end of the email message.
e. include one of the following disclaimers in any University Email sent by them where it is appropriate to do so:
"This message contains information that may be confidential and privileged. Unless you are the addressee (or authorised to receive the message for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by return email and delete the message."
"This email contains the thoughts and opinions of (your name) and does not represent the official University policy."
f. ensure that it is made clear to any recipient that the email is not being transmitted by a user in any capacity as a representative of the University when University Email Resources are used for personal purposes.
(63) Users should avoid:
a. activities that place an unnecessary strain on University Email Resources.
b. activities that are better suited to an alternate form of communication. For example use of email to deal with disputes and difficult situations should be avoided. Personal face-to-face communication is a better collegial model for solving problems and creating a positive work climate.
c. activities that are or might be perceived as harassing in nature. This would include emails that:
i. incorporate non-inclusive language,
ii. have a harassing tone, or
iii. are sent at an unreasonable rate or frequency, for example where the respondent is not given a reasonable time to respond.
d. soliciting large volumes of incoming email that is not directly relevant to their role. Users may be required to unsubscribe from external mailing lists if they consume large amounts of bandwidth, storage space or otherwise compromise the University Information System
e. unrealistic expectations that infer a greater priority be given to email requests over other forms of communication, requests for information or assistance.