Title
University of North Carolina at Chapel Hill Policy on Individual Email Addresses
Introduction
Purpose
University of North Carolina at Chapel Hill (“UNC-Chapel Hill” or “University”) must protect University data. This includes keeping records accurate and accessible. The University takes extra precautions to protect Sensitive Information (Tier 2 or 3) sent or received by email. This policy describes University obligations related to email, especially the requirement to use only University email accounts, not personal ones for University business.
Scope
This policy applies to University employees and anyone else who is “affiliated” with the University and conducts University business by email.
Policy
Policy Statement
University employees and others affiliated with the University who conduct University business by email must:
- Maintain and use only University email accounts for University business and not use any external/personal account to conduct the business of UNC-Chapel Hill.
- Enter and keep an official University email address (and not an external/personal account) as their business email in the University Directory).
- Limit auto-forwarding of University email. Auto-forwarding between University email accounts is allowed. Auto-forwarding to personal accounts or other non-University accounts is not allowed. People may forward individual messages to any email address if they follow University policies, standards, and procedures.
- Keep, archive, or manage emails according to the Records Retention and Disposition Schedule. All email messages sent or received related to University business are covered by the North Carolina Public Records Act (NC General Statutes, Chapter 132). Public records may be subject to disclosure.
Compliance
Failure to follow this policy may put the University at risk. Employees who don't comply may face disciplinary consequences, including termination of employment. Students who don't comply may be referred to the Office of Student Conduct. Contractors and vendors who don't comply may face termination of their contracts with UNC-Chapel Hill.
Violation of this policy may also carry the risk of civil or criminal penalties.
Roles and Responsibilities
People affiliated with the University must follow this policy. They must report violations to the Information Security Office.
Supervisors and Unit Heads must make this policy available to team members and provide guidance on following it.
ITS Staff can help people follow this policy.
Exceptions
If a person affiliated with the University receives University business email on a non-University account, they must forward the email to their University account. Then they must tell the sender to use the University account in the future.
Marketing, spam, and other messages that a person can delete immediately do not need to be sent to a University account.
Any Sensitive Information (Tier 2 or 3), consult Information Security for help.
If a person is not required to have a University Directory entry at all or is not provided an official University email account, they do not need to keep an official email listing there.
Exceptions to this policy may only be authorized in writing by one of the following people:
- Chief Information Officer,
- Chief Information Security Officer,
- Chief Privacy Officer, or
- their authorized delegates.
Definitions
Auto-Forward: An automated way to forward email from one account to another without a person having to take action.
Non-University Email Account: An email account provided by someone other than UNC-Chapel Hill. This could be a personal email (like Gmail, Yahoo, or another provider that you go to directly). This could also be associated with another organization (such as a professional organization, or another University.)
Public Record: Any record created or received in conducting University business, in any format, including paper, photographs, recordings, emails or digital images. The only exceptions are ones that apply under federal or state law.
University Email Account: Email account(s) provided by UNC Information Technology Services or by an authorized University department. With rare exceptions, a University account address will almost always end in "unc.edu."
Related Requirements
External Regulations and Consequences
University Policies, Standards, and Procedures
Informational References
Contact Information
Policy Contacts
Subject |
Contact |
Telephone |
Online |
Email address questions |
ITS Service Desk |
919-962-HELP |
help.unc.edu |
Reporting an information security incident or violation |
ITS Information Security Office
(Ask that your Request be marked "critical" for the Information Security Office (ISO) and do not provide detail on the incident until called back by an ISO incident handler) |
919-962-HELP |
N/A |
Questions about Sensitive Information |
Data Governance Oversight Group (DGOG) |
919-962-HELP |
datagov.unc.edu |
Policy questions |
ITS policy Office |
919-962-HELP |
its_policy@unc.edu |