Electronic Mail Policy

RELATED COLLEGE POLICIES 

Acceptable Use of Information Technology Resources Policy, Password Policy, Remote Access Policy, Privacy Policy  

POLICY CATEGORY 

Information Technology Services 

APPROVAL AUTHORITY 

President’s Leadership Team 

POLICY OWNER 

Vice President, Information Technology Services and Chief Data Officer 

POLICY STAKEHOLDER 

Data and Technology Council 

CONFIDENTIAL LEVEL Public, Internal, Confidential:  Public 

APPROVAL DATE 

9/2019 

EFFECTIVE DATE 

9/2019 

REVIEW FREQUENCY 

Annual 

PURPOSE/SCOPE 

The purpose of this policy is to define the acceptable use of Bristol Community College (“Bristol” or “college”) electronic mail (“email”). Email is a tool provided by Bristol that functions as a primary means of communication and improves educational and administrative efficiency. College employees and students (“users”) have the responsibility to use this resource in an efficient, ethical, and lawful manner. Use of college email accounts evidences the user's agreement to this policy. This policy must be read in conjunction with the Acceptable Use of Information Technology Resources Policy. 

This policy applies to any person authorized to use email services or systems the college owns or manages. The following persons (“users”) are authorized to use Bristol information technology resources: (1) current faculty; (2) current staff; (3) current students; (4) authorized contractors or vendors; and (5) authorized visitors.     

POLICY STATEMENT 

Bristol Community College has established email as a means of sending official information to the college community. To support this objective, the college provides an email account to all active employees and students at Bristol and it is expected that this account is used for all college-related communications. 

Users shall have no expectation of privacy over any communication, transmission or work performed using or stored on Bristol owned information technology resources. Bristol owns all college email accounts, messages, attachments, and addresses it provides to users. The college may wholly or partially restrict access to email without prior notice and without the consent of the user when there is reason to believe that violations of law or Bristol policy have occurred, or in other urgent or compelling circumstances. All email users are bound by the Bristol Community College Acceptable Use of Information Technology Resources Policy. 

 It is strongly encouraged that employees not store college-related business records on personal devices or accounts. Where a personal device or account is used to conduct college business, all records and communications created, including email, shall constitute public records under the Public Records Law and shall be retained in accordance with the Commonwealth of Massachusetts Record Retention Schedule. Further, an employee shall have no expectation of privacy over college records created and/or stored on a personal device or account. 

Uses of Email 

  1. Users are expected to read Bristol email on a regular basis and manage their accounts appropriately. An email message regarding college matters is considered an official notice. 
  2. The college requires that all users conduct college business and academic-related communications using an official college-issued email account.  
  3. All incoming email is scanned for malware and attempts are made to block suspected messages from user email accounts. It is impossible to guarantee protection against all malware and users should take proper care and consideration to prevent its spread. 
  4. College email services may be used for incidental personal purposes if such use does not burden Bristol with noticeable incremental cost(s) or interfere with the user’s employment or other obligations to the college. 
  5. Forwarding email by college employees that contains personally identifiable information as defined within the Acceptable Use of Information Technology Resources Policy, whether automatically or manually, is prohibited.  
  6. Auto-forwarding of email by all users is only permissible if the destination email server is an internally-administered college email system or has been previously authorized. 
  7. Unacceptable use of college email shall include, but is not limited to, the following:  
    • any illegal or unethical act, including violation of any criminal or civil laws or regulations, whether state or federal; 
    • any conduct that violates the college’s Policy on Affirmative Action, Equal Opportunity and Diversity; 
    • any conduct that violates the college’s Code of Student Conduct; 
    • any conduct that unreasonably interferes with the normal operation of the College;  
    • any commercial or profit-making purpose; 
    • sending threatening or harassing messages, whether sexual or otherwise; 
    • accessing or sharing sexually explicit or obscene materials; 
    • infringing on any copyright or intellectual property rights; 
    • any use that causes interference with or disruption of network users and resources, including propagation of computer viruses or other harmful programs; 
    • intercepting communications intended for other persons; 
    • misrepresenting the college or a person’s role at the college; 
    • distributing chain letters; or 
    • defaming any person.  

Retention of College Email 

  1. Beginning in July 2015, Bristol began automatic archiving of all employee email either sent or received by college owned email systems. At that time, all existing messages in employee email accounts were archived. Bristol will retain all email messages for a period not to exceed seven (7) years and messages beyond that age will be permanently deleted on a daily rolling basis.  
  2. Email, whether created or stored on Bristol owned equipment, may constitute a public record under Massachusetts' Public Records Act or Retention Laws or be subjected to mandatory disclosure under other laws, including laws compelling disclosure during the course of litigation. Users of Bristol email services should be aware that Massachusetts' Public Records Act and similar laws prevent the college from guaranteeing complete protection of personal email stored on Bristol email systems. 

Expiration of Accounts 

The policy governing email access privileges are set forth below; however, the college reserves the right to revoke email privileges at any time. 

  1. Departing and retiring employees – employees who leave the college will have email privileges removed on their last day of work. If such separation is for cause, email privileges may be immediately revoked without notice 
  2. Students – students who leave the college or complete their course of study will have access to their email for a period of three semesters, including the summer session, from the last semester of registration.  
  3. Students dismissed from the college – students dismissed permanently from the college will have email privileges terminated immediately as directed by college officials. 
ENFORCEMENT 
Any user found to have violated this policy, intentionally or unintentionally, may be subject to disciplinary action, up to and including loss of access rights, termination of employment, expulsion from the college, or discontinuation of the business relationship. 

ROLES AND RESPONSIBILITIES 

This section provides details on the college personnel who will take part in the development, approval process, and to whom the policy applies. 

ROLE 

RESPONSIBILITY 

Information Technology Services 

  • Ensure awareness and compliance with this policy. 
  • Ensure that this policy and all component policies and procedures are maintained and implemented.  
  • Review this policy periodically and update as needed in response to environmental and/or operational changes. 

All Users 

  • Understand and adhere to this policy.  
  • Use College resources in only those methods, which have been identified as acceptable by this policy.  
  • Immediately report unauthorized or suspicious activities or violations of this policy to their manager and the IT Manager. 

REFERENCES 

This section provides a crosswalk for this policy to the applicable best practice security frameworks, both within Massachusetts and at the national level.  

Framework 

CIS Critical Security Controls v6.1 

Regulations and Requirements 

PCI DSS - MA 201 - HIPAA 

Supporting 

Standards and Procedures 

  • CSC 10 – Data Recovery Capability 
  • CSC 13 – Data Loss Prevention 
  • CSC 14 – Controlled Access Based on Need To Know 
  • CSC 16 – Account Monitoring and Control 
  • PCI DSS Requirement 12 - Maintain a policy that addresses information security for personnel. 
  • MA 201 CMR 17.03 Section 2 
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
  • COBIT 5 DSS05, APO11.02 
  • COBIT 4.1 PO.2 - IT Standards and Quality Practices 
  • NIST Core Framework - PR.IP-4, PR.AC-5, PR.DS-2, PR.DS-5, PR.PT-2, PR.AC-4, PR.DS-1, PR.PT-3 

REVISION HISTORY 

This section contains information on the approval and revision history for this policy.  

Version Number 

Issued Date 

Approval 

Description of Changes 

1.0 

3/2016 

Massachusetts CIO Council 

Development and adoption of collaborative and standardized IT policies 

1.0 

7/2016 

Massachusetts Community College Counsel’s Office 

Recommendation on contents provided by college counsel 

1.0 

12/2016 

Standardized Control Framework 

Mapping of Controls from COBIT to CIS Critical Security Controls v6.1 

1.0 

9/2019 

President’s Leadership Team 

Policy adoption 

 
POLICY CONTACT 

Name:Jo-Ann Pelletier 

Title:Vice President, Information Technology Services and Chief Data Officer 

Phone:774.357.2412