Email Usage and Retention Standard

1.0 Reference
This standard supports Portland Community College’s Privacy Policies regarding (ORS 341.290 [17]) Student records B407, Confidentiality, Solomon Act, Family Educational Rights and Privacy Act of 1974 (Statute: 20 U.S.C. 1232g; Regulations: 34 CFR Part 99) also known as the Buckley Amendment, OAR 166-450-0000, Oregon Identity Theft Protection Act – Oregon Revised Statute 646A.600, Portland Community College Information Classification Standard, HIPAA Privacy Notice, Fair and Accurate Credit Transaction Act of 2003 (FACTA), and the Payment Card Industry-Data Security (PCI-DSS) Standard. It replaces the Recommended Email Policy.
2.0 Purpose
This standard is to govern the method which email is used to prevent tarnishing the public image of PCC, to prevent unauthorized disclosure of critical information, disruption of the learning experience, and inappropriate use of email.
3.0 Overview
When email originates from PCC, the general public will tend to view that message as an official standard statement from the PCC. The standard is defined to serve as the minimal standards of behavior for use of official email. It also governs the use of account management and email retention.
It is the responsibility of every email user at PCC to meet the standard and to conduct their activities accordingly.
4.0 Scope
This standard applies to all PCC employees, contractors, consultants, casual employees, and other workers including all personnel affiliated with third parties using PCC’s email system.
5.0 Standard
5.1 Accounts
5.1.1 Employee Email
Email services are available for faculty and staff to conduct and communicate college business. Email services are provided only while a user is employed by PCC and once a user's electronic services are terminated, employees may no longer access the contents of their mailboxes.
5.1.2 Student Email
Email services are available for students to support learning and for communication by and between PCC and themselves. The services are provided only while a student is enrolled in the College and once a student's electronic services are terminated, students may no longer access the contents of their mailboxes.
Student email users are advised that electronic data (and communications using the PCC network for transmission or storage) may be reviewed and/or accessed in accordance with this standard. PCC has the authority to access and inspect the contents of any equipment, files or email on its electronic systems.
5.1.3 Alumni and Others
Individuals with special relationships with PCC, such as alumni or official visitors, who are neither employed nor enrolled at PCC, are granted limited email privileges, including an email address, commensurate with the nature of their special relationship. PCC is free to discontinue these privileges at any time.
5.2 Prohibited Use
The PCC email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin.
Employees who receive any emails with this content from any PCC employee should report the matter to their supervisor, or Ethics-web immediately. The Information Security Manager is required to act upon any report of inappropriate email use regardless of the source.
Inappropriate email includes but is not limited to:
  • Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
  • Any form of harassment via email, whether through language, frequency, or size of messages.
  • Unauthorized use, or forging, of email header information.
  • Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
  • Sending chain letters or joke emails from a PCC email account is prohibited.
  • Virus or other malware warnings will only be sent from PCC Information Security Manager, help desk, or authorized third party email service provider.
Third party email services will not be used for the transmission of critical information (see Information Classification Standard) unless they have been vetted by Technology Solutions Services to meet security compliance standards to the level of protection required by law or regulation.
Critical information includes but is not limited to:
  • Personally Identifiable Information (PII) of another person.
  • Financial account numbers
  • Passwords
  • Information that can have a derogative impact on PCC, staff, or students of PCC
  • Internal communications that can have a derogative impact on PCC operations if sent to someone without a need to know
  • Health related information of a sensitive nature
  • Information deemed: Confidential, Restricted, or Academically sensitive
Examples of third party services include personal ISPs (Easystreet, Comcast, etc) and free email providers (Gmail, Yahoo, etc.). The security of all third party providers cannot be reasonably evaluated and guaranteed at this time.
5.3 Personal Use
Using a reasonable amount of PCC resources for personal emails is acceptable, but non-work related email is not supported. Mass mailings from PCC shall be managed by the appropriate email list owner on an individual basis. These restrictions also apply to the forwarding of mail received by a PCC employee.
5.4 Monitoring
Under certain circumstances, it may be necessary for the IT staff or other appropriate University officials to access e-mail files to maintain the system, to investigate security or abuse incidents or violations of this or other University policies. Such access will be on an as needed basis and any e-mail accessed will only be disclosed to those individuals with a need to know or as required by law.PCC email users should have no expectation of privacy in anything they store, send or receive on the PCC email system. PCC may monitor messages without prior notice. PCC is not obliged to monitor email messages.
PCC may monitor email messages on a random basis or as a routine matter. Supervisors and instructors may review email communications to determine whether there have been any breaches of security, violations of PCC policy, or breaches of duty by employees or other users. PCC may also use software/hardware that monitor email messages electronically for purposes of assuring system security and compliance with PCC policies, or to meet the legal requirements of a subpoena or warrant.
It is a violation of PCC policy for any user to use the email system without due process to obtain access to communications between others. Employees found to have engaged in such "eavesdropping" will be disciplined appropriately and may be terminated.
5.5 Email Security
While PCC attempts to provide secure, private and reliable email services by following sound information security practices, privacy is not guaranteed and users should have no general expectation of privacy in e-mail messages sent through the email system. Email is a public record, is subject to the Freedom of Information Act, and to subpoena by a court of law. Please be aware that any information submitted via email is not confidential and could be observed by a third party while it is in transit.
5.5.1 Encrypted Communications
Encrypted email should be used when confidential information is sent to an external email addresses. International issues regarding encryption are complex. Users need to guidelines on export controls on cryptography, and consult their manager and/or PCC’s legal services for further guidance.
6.0 Email Retention Standard
This standard is intended to help employees determine what information sent or received by email should be retained and for how long. The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via electronic mail or instant messaging technologies.
6.1 Retention Requirements
Email is subject to the same records retention rules that apply to other documents and must be retained in accordance with PCC records retention schedules.
E-mail is one of the many methods of communicating information and does not in and of itself constitute a public record under the Public Records Act. However, information transmitted by e-mail may become a public record if it is made or received in the transaction of public business by a state agency.
The following examples of e-mail messages, including messages with attachments, that are public records include: policies and directives, correspondence related to official business, meeting agendas or minutes, official reports, or material that has legal or historic value.
If information transmitted by e-mail meets the definition of a "public record" then it may not be deleted or otherwise disposed of except in accordance with a records retention schedule, directives of the PCC Records Coordinator, and the Procedures for Compliance listed below.
The retention requirement associated with any document is determined by its content, not the method of delivery. All Employees are required to follow the retention schedule for Community Colleges codified in OAR 166-450-0000, as well as any applicable federal regulations.
6.2 Types of E-mail Messages
For retention purposes, e-mail messages generally fall into the following two categories:
6.2.1 E-mail of limited or transitory value:
For example, a message seeking dates for a meeting has little or no value after the meeting. Retaining such messages serves no purpose and takes up space. Messages of limited or transitory value may be deleted when they no longer serve an administrative purpose.
6.2.1.1 Examples of transitory messages:
  • Charity campaigns
  • Listserv messages
  • College-wide communications
  • Meeting Reminders
  • Deadline Reminders
  • Routing Slips
  • Fax Confirmation
  • Reading Materials
  • Reference Materials
  • FYI e-mail information [that] does not elicit a response
6.2.2 E-mail containing information having lasting value.
E-mail is sometimes used to transmit records having lasting value. For example, e-mail about interpretations of a department’s standards may be the only record of that subject matter. Such records should be transferred to another medium and appropriately filed, thus permitting e-mail records to be purged.
6.2.2.1 Examples of typical public records:
  • Policies and directives
  • Correspondence or memoranda related to official business
  • Work Schedules and assignments
  • Agendas and minutes of meetings
  • Drafts of documents that are circulated for comment or approval
  • Any document that initiates, authorizes, or completes a business transaction
  • Final Reports or recommendations
6.3 Procedures for Compliance with the Records Retention Requirements
While the methods for reviewing, storing or deleting e-mail may vary, compliance with the retention requirements of Oregon records requirements may be accomplished by doing one of the following:
6.3.1 Retention of Hard Copy.
Print the e-mail and store the hard copy in the relevant subject matter file as would be done with any other hard-copy communication.
6.3.2 Electronic Storage of e-mail
Data owners may electronically store the e-mail in a file on a disk, or a server, so that it may be maintained and stored according to its content definition under PCC records retention standard.
6.4 Records Coordinator
The PCC Records Coordinator is the focal point for inquiries about record retention requirements and for viable options for compliance.
7.0 Email Backup and Recovery
Information Technology creates email backup tapes solely for the purpose of restoring the entire email system in the event of disaster. Backups may not allow for restoration of individual mailboxes and cannot be used as a convenience to retrieve "deleted" messages.
Backups do not replace records retention; they are a function of Disaster Recovery. Each department must make provisions to retain documents and messages in accordance with their departmental records procedures and applicable law.
8.0 Enforcement
Any employee found to have violated this standard may be subject to disciplinary action, up to and including termination of employment. Any non-PCC employee using PCC's network services found to have violated this standard may have their access terminated.
Any user who violates this standard may be held liable for damages to PCC assets, which may include and not be limited to the loss of information, computer software and hardware, lost revenue due to down time, fines and judgments imposed as a direct result of the failure of the user to adhere to this standard.
9.0 Definitions
Forwarded email -
Email passed on to another address, usually with an attachment intact if in the original.
Chain email or letter -
Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.
Virus warning -
Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.
Unauthorized Disclosure -
The intentional or unintentional revealing of critical information to people, both inside and outside PCC who do not have a need to know that information.
Approved Email -
Includes all mail systems supported by the IT Support Team. These include, but are not limited to listserv, portal group mail, or announcements. If you have a business need to use other mailers contact the appropriate support organization.
Encryption -
Secure PCC sensitive information in accordance with the Acceptable Encryption Standard. International issues regarding encryption are complex. Follow corporate guidelines on export controls on cryptography, and consult your manager and/or corporate legal services for further guidance.
Spam -
Unauthorized and/or unsolicited electronic mass mailings.
Revision History