Policy Statement
߲ݴý University provides an email system for students, faculty, staff, alumni, contractors and others to facilitate communication related to academic, administrative, and community engagement matters. Email is an official means of communication for the University, and users are responsible for communications via this system. The University strives to administer this system for the entire ߲ݴý community in a manner that preserves a level of confidentiality as outlined in this policy. The University will execute this policy while maintaining compliance with relevant State and Federal laws, regulations, and University policies.
Although the University does not recommend personal use, it recognizes and permits limited personal use of the colgate.edu email domain (and its subdomains). This personal use does not acquire a right of privacy for communications transmitted or stored using University electronic information resources (EIR).
This policy defines the roles of stewards and custodians in regards to email. Custodians are tasked with the care of email accounts. Stewards are responsible for ensuring email content is seen only by those who have a need to see it as defined by this policy. Account types are assigned specific stewards. A table of what stewards are responsible for what account types can be found under the email Stewards heading at the end of this policy.
Principles and Standards
Custodians of email must never access or disclose the contents of any email for which they are not correspondents except when authorized by defined email stewards under strict guidelines in the following situations:
- In the event of a health or safety emergency.
- In response to a court order, subpoena or other compulsory legal process.
- As part of an internal investigation involving a breach of policy or law.
- In immediate need to continue a critical and time-sensitive business process.
- To provide business continuity in the event of a death or employee departure.
Reason for this Policy
The University strives to protect email communications from inappropriate access or disclosure. This policy provides clear policy guidelines for those circumstances in which access to email is granted to those other than the named account holder. It insures an appropriate level of oversight, control, and accountability for such actions.
Scope of Policy
Entities affected and bound by this policy include all members of the University including those users of ߲ݴý's email for Life offering except where otherwise indicated in this or other policy.
This policy is in direct relation to ߲ݴý's email system but may be used as a general guideline concerning all other forms of electronic communications transmitted or stored using ߲ݴý's electronic information resources where specific policy may not yet be adopted.
Procedures: Requests to Access or Disclose Email Content
In the event of a health or safety emergency, the University may access and/or disclose the content of email according to the following procedure:
- The Information Privacy & Security Officer (IPSO) may only grant access and/or disclose the data upon request of the Director of Campus Safety, Director of Health Services, Director of the Counseling Center or a member of the President's Staff. Emergency requests may be made directly to the IPSO.
- In order to preserve any potential evidence, the IPSO will make a second copy of the requested contents on read-only medium and stored in a secure location, clearly labeled and sealed. The IPSO will create an incident document summarizing the request, the process used in obtaining the contents and any other relevant observations during the event.
- In the interest of saving time during the emergency, the original request may be verbal. As such, after the request is fulfilled, the requesting party will provide the IPSO with a formal (written or emailed) request citing the nature and detail of the information requested. As soon as is practicable, the IPSO will notify the appropriate email steward(s) and the CIO of the request with a Notice of Preservation & Access.
- To ensure the emergency request procedure in this policy is not abused, emergency requests will be reviewed by the President’s Staff within a reasonable time after the event at which time any adjustments to this policy may be made.
In the event of a court order, Subpoena, litigation hold or similar request/demand, Legal Counsel may be asked to review the validity and authenticity of the request/demand. Legal Counsel may then provide advice regarding the University's obligations to comply and the University is free to comply with that advice notwithstanding any provision of this policy.
- A member of the President’s Staff or the Special Assistant to the President for Legal Affairs may make a direct request to the IPSO along with any additional and/or specific instructions to preserve the email content.
- The IPSO will make a copy(s) of the evidence as per the instructions and will create an incident document summarizing the request, the process used in obtaining the contents and any other relevant observations during the event.
In the event of an investigation involving an employee or faculty related to his or her employment status, requests for access may be made to specified email stewards.
- All requests to access an account holder's email must be made formally, in writing or by email, to the appropriate account holder’s email steward (see email Stewards) by an employee’s manager, immediate supervisor or director, a student’s academic advisor or professor, a member of the Equity Grievance Panel (EGP), a member of the President’s Staff or another email steward. To avoid unreasonable searches and fishing expeditions, each request must contain a detailed reason for the request with a range of dates in which to search along with keywords or other information that can narrow the search to the pertinent investigation.
- Requests will then be vetted through an Administrative Council consisting of four (or more) members of the President's Staff. The Council reserves the right to ask for the opinions of other University members when deliberating. Investigations involving faculty email will have two additional members taking part on the Council; the Chair of the Committee on Information Technology and the Chair of the Faculty Affairs Committee. Decisions will be made based on a majority vote of the Council.
- Approved requests will then be sent to the IPSO. The IPSO will perform the search on the email account(s) using the keywords and dates supplied with the approved request. The IPSO will create an incident document summarizing the request, the process used in searching for the keywords in the request and any other relevant observations during the event.
- Findings from the initial search may then be given to the email steward(s) along with a Notice of Preservation & Access if and when appropriate. If the initial search is fruitless, no further investigation may be made on the email account(s) without the requesting party making a new official request.
- If the initial search is fruitful, the IPSO will make a copy of the related contents to a read-only medium and store it in a secure location, clearly labeled and sealed. The IPSO will append the incident document with a summary of the request, the process used in obtaining the contents and any other relevant observations during the event. As soon as is practicable, the IPSO will notify the CIO of the request with a Notice of Preservation & Access.
- Access to the content of the emails identified from the initial search may then be requested by the email steward(s). If such a request is made, a second copy of the email contents will be saved to a read-only medium and delivered to the appropriate email steward.
In the event an employee or faculty member's professional association with the University has ended, or the account holder is unavailable and without access to their email, it may sometimes be necessary to access information stored in the account holder's email in order to preserve business continuity.
At no time may the user who has been granted access be permitted to send email as (or impersonate) the account holder.
- In such cases, supervisors may make requests for access through the proper email steward(s) (see email Stewards). Such requests must be reasonably limited in scope and time. Approval for granting access is under the discretion of the email steward. Approved requests may then be sent to the IPSO whereas the IPSO may change the account password and give that password to the email steward.
- The IPSO will create an incident document summarizing the request, the process used in obtaining the contents and any other relevant observations during the event. As soon as is practicable, the IPSO will notify the CIO of the request with a Notice of Preservation & Access.
- Requests will be reviewed by the President’s Staff within a reasonable time after the event at which time any adjustments to this policy can be made.
Parents or legal guardians may request access to email in the event of their child's death. If access to an account is granted, it must be for a defined and limited period of time. Prior to granting access, the account may be archived. Access requests can be made through the Dean of the College at his or her discretion.
- Approved requests will be sent to the IPSO at which time the IPSO will change the password and give it to the Dean of the College. All requests will be documented and may be reviewed.
- Students may also designate a proxy (usually a parent, grandparent or other legal guardian) to have access to their personal email in the event of a medical emergency or death. Student workers may not allow a proxy to access their given employee email account.
In the event of an employee’s departure from the University, access to email may be granted via the procedure to continue a critical and time-sensitive business process (Procedure D) above.
All other email accounts are designated and designed for ߲ݴý business use and are the property of the University; access to these accounts may not be granted or willed to spouses, family, or friends upon the account holder’s death.
Email Archiving Guidelines
As it is impossible for the University to anticipate every scenario involving access to email, the University strives to mitigate risk by archiving certain email accounts.
Email transmitted or stored in ߲ݴý's email system may be archived. Unless otherwise noted in this policy, the archived email is not available to account holders. The length of time email is stored is listed below:
User Type | Email Archive Life |
Students | Except in cases of legal matters and where otherwise noted in this policy, a student's email is not automatically archived and their account is purged one year after attending the University unless they sign up for the "Email for Life.” |
Student workers | Students employed by the University while attending ߲ݴý may be provided with a separate email account with which to conduct ߲ݴý business. Student worker email accounts may be archived during and after their employment. |
Alumni | Alumni are offered the opportunity to keep their student email address upon graduation through a program called “Email for Life”. These accounts are not automatically archived and accounts may be purged immediately after an Alumni opts-out of the service except in matters where a litigation hold has been placed. |
Alumni employees | Many alumni spend some part of their professional career working for the University. Those alumni who have opted-in to "Email for Life" may be given a new account to be used for conducting ߲ݴý business. Both their “Email for Life” account and their business account may be subject to archiving during and after their employment. |
General staff | General staff email accounts may be archived during and after their employment. |
Executive staff | Executive staff positions and those positions which are permitted to conduct contract negotiations or make capital purchases on behalf of the University may have their email archived indefinitely. |
Faculty | All faculty email is to be archived during the professor's stay at ߲ݴý University. Faculty email may be purged ten years after their association with the University has ended. |
Emeritus | Emeritus faculty may retain access to their colgate.edu email account. Such accounts should be used primarily for conducting business, research and maintaining a professional connection to the University. Emeritus email accounts may be archived indefinitely and not purged upon the account holder's death. |
*In the event of an investigation or other authorized access to an account, the account holder's email may be archived from the point of time when the investigation began until, at minimum, one year after the account holder's association with the University has ended.
General Summary
As a general rule, ߲ݴý treats all email as confidential. Any attempts to access email during transmission or while stored without going through the proper procedures listed above is unauthorized. Violators of this policy may be sanctioned, terminated and/or face criminal charges.
Below is a general guideline for who has authority of access to specified account types.
Account Type | Preservation and Access |
Student email | Student Mail The Deans of the College or Admissions are responsible for relaying requests for access to the Administrative Council. Student email may be accessed in health and safety emergencies, and investigations involving (but not limited to) harassment, academic dishonesty, and breaches of the Code of Student Conduct. Student email is not archived unless an authorized access has been granted. In such cases, the life and duration of the archive may vary in accordance to the legal requirements surrounding the investigation which prompted the need for access. |
Student worker email | The Associate VP of HR and the Deans of the College or Admissions are responsible for relaying requests for access to the Administrative Council. In addition to above, a student worker's account may be accessed for reasons of business continuity, HR investigations or litigation hold. Student worker email accounts may be archived for a minimum of four years after the student graduates. |
Alumni email | Requests for access to alumni email must be sent through the VP for Institutional Advancement. As outlined in the Email for Life EULA, alumni email is subject to the same level of confidentiality as any colgate.edu email address. |
Faculty email | Stewardship of faculty email accounts is the responsibility of the Provost. In addition to what is listed in this policy, access to archived faculty email may be granted to former account holders for purposes of research at the discretion of the Administrative Council. Investigations involving faculty email will have two additional members taking part in the Administrative Council; the Chair of the Committee on Information Technology and the Chair of the Faculty Affairs Committee. Faculty email may be archived for a minimum of ten years after employment. |
Faculty emeritus email | Access requests to faculty emeritus email accounts must pass through the President of the University. All faculty emeritus accounts may be archived indefinitely. |
General staff email | The Associate VP of HR is responsible for relaying requests for access to employee email accounts to the Administrative Council. Employee email accounts may be archived for a period no less than seven years after employment. |
President's staff email | The President of the University is responsible for bringing access requests to the President’s Staff's email accounts to the Administrative Council. Members of the Administrative Council on the President's Staff may not vote concerning the authorization to access their own accounts. All Presidential Staff email accounts are archived indefinitely. |
President's email | The Board of Trustees is responsible for authorizing or denying access to the President's email account. The President’s email account is archived indefinitely. |
ITS Support Staff
In the course of providing technical support, performing network security and/or maintenance (e.g., backups and restores), ITS Support Staff such as Support Specialists and/or Network & Server Admins may be required to access, observe, or intercept, but not disclose, reroute, or forward electronic mail messages. There are two circumstances when it is permissible for an ITS Support Staff to disclose, reroute, or forward the content of email:
Should an ITS Support Staff, in the usual course of business, reasonably believe that he or she has accessed information about an emergency involving imminent danger of death or serious injury, the following procedures should be invoked:
- Contact Campus Safety immediately.
- As soon as is practicable, report the incident and the underlying information to the CIO or an appropriate email steward.
In situations when a local support provider reasonably believes that he or she may have observed evidence of a violation of law or policy, the following procedure should be invoked:
As soon as is practicable, report the incident and the underlying information to the CIO or an appropriate email steward.
Contacts
You may direct any general questions about this or any ߲ݴý policy to your immediate supervisor or department director. If you have specific questions about this policy, please contact the Information Privacy & Security Officer whose information can be found on the ITS staff page.
Enforcement
As noted in Faculty, Employee, and Student Handbooks, enforcement of this policy is the responsibility of the Provost, HR, and Dean of the College where appropriate.
Related Documents
University Policies
- Student Handbook
- Faculty Handbook
- Staff Handbook
- ITS Acceptable Use Policy
- Equity Grievance Policy
- FERPA Notice
Laws and Regulations
- Federal Rules of Civil Procedure
- Gramm-Leach-Bliley Act
Reporting Alleged Violations
Violations of this or any ITS policy can and should be reported immediately to the Associate VP of HR, the CIO, Dean of the College, or the Provost and may be done anonymously.
Notice of Preservation & Access Template
Below is the template to be used as the notification letter when an email account has been accessed.
(Acting) Information Privacy & Security Officer, IPSO ߲ݴý University
Date of Actual Search
Account Holder
CC: Email Steward, Title
CC: Chief Information Officer, CIO
A request was approved by the President of the University to preserve and access your username@colgate.edu email account. Throughout this process, procedures and guidelines were followed as outlined in ITS Policy 10.1.5 to ensure the content of your email remains confidential. Please contact Email Steward, Title @ contact information for any questions you have regarding this letter.
Sincerely,
(Acting) Information Privacy & Security Office, IPSO
Roles & Responsibilities
A member of the Administrative Council and President's Staff, authorized by the University, and responsible for the maintenance and security of all electronic information resources.
Authorized in health and safety emergencies to contact ITS with requests to immediately intercept, access, and/or disclose email content. When practicable, notifies the appropriate email steward(s) of a request and makes an archive-able request to the IPSO.
- Receive requests for access to email, calling upon the Administrative Council for approval of such requests, and coordinating communications with account holders as to the nature of such requests when practicable.
- Receive Notice(s) of Preservation & Access always to be relayed to account holders when practicable.
- For a list of stewards, see the section, “Email Stewards.”
- Performs authorized actions on accounts in conjunction with approved requests for content access.
- Sends Notice(s) of Preservation & Access to appropriate email steward(s) when practicable.
- Responsible for the confidentiality, integrity and availability of University data.
Receive and evaluate the authenticity of external requests for data preservation and discovery and consult with the University as to their obligations, rights and how to proceed and comply.
In cases of health or safety emergencies, the requesting party is responsible for making the initial request for access to the IPSO and then providing official notification, when practicable, to the appropriate email steward(s).
In cases of internal investigation(s), the requesting party is responsible for justifying through probably cause the reason(s) for making their request to the email steward(s) — for providing initial search terms.
- Evaluate and approve or deny requests to have email preserved and/or accessed by individuals other than the account holder, sending approved requests to the IPSO and denied requests back to the email steward(s).
- Authorize individuals to access accounts.
- At any time, a council can be made of any four of the President's Staff.
- Investigations involving faculty email will have two additional members taking part in the Administrative Council; the Chair of the Committee on Information Technology and the Chair of the Faculty Affairs Committee.
Email Stewards
Dean of the College or Dean of Admission
Associate Vice President of Human Resources and Dean of the College or Dean of Admissions
Vice President for Institutional Advancement
Provost or Associate Provost
President of the University
Associate Vice President of Human Resources
President of the University
Board of Trustees
Definitions
Term | Definition |
Account | A colgate.edu email address and its content. |
Account holder | An individual trusted with the use of and access to a colgate.edu domain email address, usually associated directly with their username. |
Archive | Data written or stored physically over a period of time that cannot be altered. |
Confidential | Limited and/or restricted to access of content by authorized individuals. |
Content | Substantive information or creative material viewed in contrast to its actual or potential manner of presentation; data which contains, in and of itself, enough information to convey a complete thought. |
Electronic information resource (EIR) | Any device or network which transmits, stores, presents or manipulates data. |
Email for Life | Email accounts under the colgate.edu domain offered to alumni upon graduation. |
Email custodians | Any individual, not the account holder, trusted with access to account content. |
Email steward | An individual entrusted with the responsibility for helping maintain the confidentiality of certain email accounts with regards to this policy while upholding the values, mission, goals and security of the University. |
Health or safety emergency | Situation(s) where the immediate physical well-being of an individual(s) is at risk. |
ITS support staff | Individuals representing ITS responsible for maintaining the functionality of and assisting users with ߲ݴý’s electronic information resources. This staff includes but is not limited to Support Specialists, Network & Systems Admins, and the IPSO. |
Keywords | Words and/or phrases used in a data search. |
Letter of preservation | A common, court-ordered request of litigation hold sent to a party in a legal dispute as a means to prevent spoliation of evidence. |
Notice of preservation & access | A letter created by the acting IPSO and addressed to the account holder and appropriate email steward(s) of entry to an account by an authorized individual(s). |
President’s staff | The president's staff can be found here: University Cabinet |
Requesting party | Individual(s) requesting access to an account. |