E-Mail and Digital Communication Policy – 208.4

Back to Administration

University of Arkansas at Little Rock
Policy Name: E-mail and Digital Communication Policy
Policy Number: 208.4
Effective Date: October 21, 2020
Revised Dates: September 17, 2020
Most Recent Review Date: September 17, 2020

Purpose

UA Little Rock recognizes the efficiency of employing digital communications among its students and employees. Digital communication saves time, saves money, and is often the fastest, most effective method of communication among members of the UA Little Rock community. At the same time, digital communications can easily be abused, and an email that seems useful and pertinent to one student or employee might easily appear as “spam” to another. While email from individual to individual is sometimes troublesome, the real issue emerges about bulk or group communications, and it is this type of communication to which this policy refers explicitly.

Scope

This policy establishes standards for the electronic transmission of sensitive and business-critical data and the controls that the users will employ to protect the security and privacy of sensitive and business-critical electronic data.  This policy also addresses rules and responsibilities while using UA Little Rock’s digital communications. This policy applies to email, instant messaging, voice mail, file transfer, and any other technology that transmits sensitive and business-critical data electronically.

Definition of Terms

University Business: University Business is work performed as part of an employee’s job responsibilities, or work performed on behalf of the University by faculty, staff, volunteers, students, trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.

Sensitive Data: Sensitive data is a blanket term used to designate classes of data with a high level of security that the University is legally or contractually required to protect.  Sensitive data may also be referred to as protected information or personally identifiable information.

Policy

Sensitive and business-critical data that are to be transmitted electronically shall be transmitted in a manner that protects them against unauthorized access and ensures their integrity. When the circumstances allow, electronic transmission of sensitive and business-critical data, reasonable and appropriate security measures shall be implemented.

  1. All use of email and other communication methods and tools must be consistent with UA Little Rock policies and procedures of ethical conduct, safety, compliance with applicable laws, and proper business practices.
  2. Any faculty member, staff member, or student may develop a mailing list or otherwise communicate electronically (subject to the content restrictions imposed by UA Little Rock’s Acceptable Use Policy) with those with whom they have a supervisory, collaborative, or instructional relationship.
  3. It is unacceptable to use the University’s electronic communication resources (in any form)
    1. To send unauthorized mass communication of any type
    2. To send rude, obscene, harassing, or illegal material, or material that in any way conflicts with the regulations of the university
    3. To send any material that in any way conflicts with state or federal law
    4. To send/receive individually identifiable health information, social security numbers, passwords, or any other Confidential information via the Internet or non-ualr email addresses
    5. To perform an operation or activity that degrades the performance of the UA Little Rock’s IT systems and network
    6. To send E-mail with the intent of disrupting communication or other system services
    7. To send broadcast e-mail or listserv/group communications to users without proper institutional or divisional approval
    8. To intentionally distribute messages that contain viruses, worms, or other malicious code
  4. It is extremely important that when communicating with others, including students, faculty, and staff, that users exercise extreme caution to send messages only to intended recipients.  Users should only correspond with the campus community via their official @ualr.edu email address.  Faculty and staff should encourage students corresponding with them via unverified personal communication methods (email, text, etc.) that they need to use their official ualr.edu email.
  5. In general, emails sent directly from @ualr.edu to another @ualr.edu permit the sending of private and confidential information, however, extreme caution should be used.  Encryption of data is highly encouraged.
    1. Users must recognize that email can be misdirected or forwarded on.
    2. Email can be stored on external devices outside of campus security controls.
    3. Users that routinely share confidential or protected information should never read their email via clients that could potentially store campus data on external systems.
    4. Users should never forward confidential or protected information to third party systems.
  6. Users are forbidden from using third-party email systems and storage servers to conduct UA Little Rock business, to create or memorialize any binding transactions, or to store or retain email on behalf of UA Little Rock.
  7. E-mail should not be the method to transmit or receive business-critical, sensitive, and personally identifiable information (PII).  If transmission of PII, especially information protected by FERPA and HIPAA regulations is required, extreme caution must be applied, and the CISO should be consulted before sending such transmission.  It is recommended that sensitive data should be encrypted.
  8. Without authorization, it is forbidden to attempt to access and listen to another person’s voice message, or access and read another person’s e-mail, or other electronic messages or files, even when these are accidentally exposed.

 References

  1. Definitions.
    1. University Business: University Business is work performed as part of an employee’s job responsibilities or work performed on behalf of the University by faculty, staff, volunteers, students, trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University.
    2. Sensitive Data: Sensitive data is a blanket term used to designate classes of data with a high level of security that the University is legally or contractually required to protect.  Sensitive data may also be referred to as protected information or personally identifiable information.
  2. UA Little Rock Acceptable Use Policy
  3. UA Little Rock E-Mail and Communication Policy
  4. UA Little Rock Password Management Policy
  5. UA Little Rock Network and Access Management Policy
  6. UA Little Rock Password Management Guidelines
  7. UA Little Rock E-Mail Communication Guidelines
  8. ISO 27001:2013
  9. NIST 800-53A
  10. NIST Cyber Security Framework
  11. HIPAA
  12. FERPA
  13. PCI-3.2

Source: Board of Trustees Policy 285.1
Status: Active
Approved By: Christina Drale, Chancellor, 10/21/20
Originator: Vice Chancellor for Finance and Administration
Custodian: Information Technology Services