Email policies

19 April 2007
TO: Campus Community
FROM: G. M. Dennison, President and Interim Provost
SUBJECT: Changes in Campus Email

Over the last decade, the use of email has grown and changed, both at The University of Montana, Missoula, and in general. On the up side, the importance of email as a tool for official communication has continued to increase; on the down side, its use as a conduit for “spam” and other unwanted communication has grown dramatically. However, these changes have come as part of an evolution in the law and the courts applicable to email. Regardless of our individual views or perspectives, the evolving legal framework for email requires the University and all other commercial, governmental, and academic institutions to make fundamental changes in the management of email. Two legal requirements focus on 1) the need for the University to develop the capability to produce official email in response to appropriate requests, and 2) the need to assure that all official email sent by its employees to students complies with the privacy afforded to students under federal and State law. For simplicity, in what follows, I will refer to the former as the discovery/freedom of information requirement , the latter as the FERPA requirement .

In order to satisfy these requirements, the University will implement major policy changes related to email beginning on 1 July 2007. I will announce the policy details as they become available. However, we must begin now to educate everyone across campus as to the need for and nature of the changes which we must make. The following overview initiates that process, and I ask your assistance during the coming weeks to make the transition as smooth as possible. As mentioned earlier, whatever our individual views on these policies, we really have no choice but to comply with federal and State law designed to protect the institution and individual privacy.

Overview of changes, effective 1 July 2007

1. Need for Email - Supervisors will have to determine, on a case by case basis, which current and new employees require an official University email address. For those who require an address, supervisors will have the responsibility to make arrangements for that access. For those who do not require access, supervisors will also have to provide alternative access to official communications sent by email. The Director of Human Resources and the Vice Presidents will develop a process and set of procedures to make certain that this determination occurs for current employees before 1 July 2007 and for all new employees as part of the appointment process.

2. Primary Email Address - Each employee who requires official access to email will receive an assigned address and an official central UMM email account. Each employee with official access to email must designate the central UMM email address as the primary email address for all official communication. The Chief Information Technology Officer and the Vice Presidents will develop a process and a set of procedures to inventory and identify for possible approval a limited number of “unit-based” email systems. Approval of such systems will require adherence to specific requirements with regard to the archiving of all University communications. The CITO and the Vice Presidents will develop and promulgate those requirements, and any approved “unit-based” systems will demonstrate the capacity to satisfy all the specified requirements. Once completed, supervisors will have the authority to change the primary employee address to some other approved UMM email system , with notice provided to the central UMM system.

3. Use of UMM Email Accounts - An employee must use only the designated primary UMM email account for all UMM official communications by email; an employee may not use a non-UMM email account for UMM official business. Violation of this policy will involve sanctions similar to those for any deliberate policy violation. In the event of disruption of internal service, and a need for timely communication, an employee authorized for official email access can use an external provider during the period of the disruption, but must place copies of such communications for archival purposes in the authorized University employee email account.

4. Email to Students - An employee must use only UMM assigned student email accounts for all email exchanges with students, since such communication typically involves private student information. Prospective students who do not yet have University addresses and accounts will, of course, use external providers. University employees can communicate with prospects at external addresses, but must place copies of such communications for archival purposes in the authorized University employee email account, explain the security implications, and encourage prospects to use the email address that UMM provides so as to avoid release of protected information.

Comments on the changes

Number one simply clarifies who needs official access to email, rather straightforward to implement and understand.

Number two represents a minor change in policy. Implementing this change guarantees a complete, comprehensive, and accurate list of official email address, which in turn permits the creation of viable policy and practice as to who sends email for what purpose.

Number three guarantees that the University can satisfy the discovery/freedom of information requirement . It prohibits employee use, except under designated circumstances, of external email services for University communications – such as “hotmail”, “gmail”, “fastmail”, and others – because of the requirement to capture and archive the messages. Use of other services does not lend itself to that purpose without special procedures, as indicated above.

Number four guarantees that email sent by UMM employees does not violate the FERPA requirement by prohibiting the use of external email services. Such services explicitly reserve the right to examine all incoming email, thereby exposing restricted information to a third party (the external email system operator) in violation of FERPA. Note however that number four does not constrain a student's competency to waive the FERPA provisions or to “forward” email from a University account to an external account. Under such circumstances, the student waives the right to privacy.

Number three and number four present a dramatic change in email philosophy and practice, i.e., from informal communication to official communication. Driven by law, not by the opinions of leadership or staff, this change will undoubtedly spark criticism and resistance. Whether popular or unpopular, the University simply has no choice but to respond to requirements we can no longer ignore. I think it safe to say that the changes inherent in number three and four warrant extensive discussion, independent of all the details. While we have yet to develop the detailed policies and procedures, we can and will do so on the basis of that discussion. In addition, we need to attend to such details as the following:

• Student Affairs and new students : How and when do we assure that communication with prospective students fall under these guidelines?

• Responding to student email : If a student initiates contact from an external email service, under what circumstances can an employee respond to the student using that same email service?

• Email archival and security : What requirements relate to email archiving (and security of that archive) that central and unit-based email systems must satisfy?

I understand that these changes will appear onerous and burdensome. Hopefully, discussion and collaboration with all appropriate campus constituencies will make this transition as smooth as possible.

Thank you for your assistance and cooperation.

George Dennison

(Denmem2290)