Policy on Employee Use of Email
California State University East Bay Policy on Individually assigned Email Addresses
Introduction
Purpose
California State University East Bay (“CSUEB” or “University”) must protect University data. This includes keeping records protected, accurate and accessible. The University takes extra precautions to protect Sensitive Information (Level 1 or 2) sent or received by email. This policy describes University obligations related to email, especially the requirement to use only University email accounts, not personal ones for University business.
Policy Scope
This policy applies to University employees and anyone else who is “affiliated” with the University and conducts University business by email.
Policy Statement
University employees and others affiliated with the University who conduct University business by email must:
- Maintain and use only University email accounts for University business and not use any external/personal email account to conduct the business of CSUEB.
- Limit or minimize personal use of their University email account to occasional and incidental use (e.g. must have so little value that accounting for it would be unreasonable or impractical). See this link for more information.
- Enter and keep an official University email address (and not an external/personal email account) as their business email in the University Directory, Faculty Profile, Syllabi, etc.
- Limit auto-forwarding of University email.
- Auto-forwarding to personal accounts or other non-University accounts is not allowed. Users may forward individual messages to any email address if they follow University policies, standards, and procedures.
- Auto-forwarding between University departmental and individual email accounts is allowed, and is managed by ITS directly.
- Keep, archive, or manage emails according to the CSU Records Retention and Disposition Schedule.
- All email messages sent or received related to University business are covered by the California Public Records Act (CPRA, specifically CA General Provisions (7920.545). Public records may be subject to disclosure.
Roles and Responsibilities
Employees and those affiliated with the University must follow this policy. Violations of this policy must be reported to the Information Security Office (iso@csueastbay.edu).
Managers and Department Heads must make this policy available to staff members and provide guidance on following it.
The ITS Servicedesk can help people follow this policy.
Compliance
Failure to follow this policy may put the University at risk. Employees who do not comply may face disciplinary actions. Students who do not comply may be referred to the Office of Student Conduct. Contractors and vendors who do not comply may face termination of their contracts with CSUEB.
Violation of this policy may also carry the risk of civil or criminal penalties.
Exceptions
- If a person affiliated with the University receives University business email message at a non-University account, they must forward the email message to their University account and tell the sender to use their University email address in the future.
- Marketing, spam, and other messages that a person can delete immediately do not need to be sent to a University account.
- Concerning any Sensitive Information (Level 1 or 2), please consult the Information Security Office for help.
- If a person is not required to have a University Directory entry at all or is not provided an official University email account, they do not need to keep an official email listing there.
- Exceptions to this policy may only be authorized in writing by the campus CIO or CISO.
Definitions
Auto-Forward: An automated way to forward email from one account to another without a person having to take action.
Non-University Email Account: An email account provided by someone other than CSU East Bay. This could be a personal email (like Gmail, Yahoo, or another provider that you have set up yourself). This account could also be associated with another organization (such as a professional organization, or another University).
Departmental Email Account: A departmental email account is provisioned by ITS as a shared inbox model that is made available to employees designated by the requesting the account. This is also known as a delegated email account, which does not require a separate NetID to access. Departments are responsible for alerting ITS to changes in employee assignments so that delegates can be added or removed from a shared email account.
Public Record: Any record created or received in conducting University business, in any format, including paper, photographs, recordings, emails or digital images. The only exceptions are ones that apply under federal or state law.
University Email Account: Email account(s) provided by CSUEB ITS. With rare exceptions, a University account address will almost always end in "csueastbay.edu."
Related Requirements
CSU Policies, Standards, and Procedures
- CSU Information Security Responsible Use Policy
- CSU General Records Retention and Disposition Schedules
- CSU Data Classification Standard
- CSU Records Retention and Disposition FAQs
- CSU Public Records Policy
Regulations
Contact Information
Subject | Contact | Telephone | Online |
---|---|---|---|
Email address questions | Service Desk | 510-885-4357(HELP) | servicedesk.csueastbay.edu |
Reporting an security incident or violation | Information Security Office | 510-885-4357(HELP) | iso@csueastbay.edu |
Questions about Sensitive Information or this Policy | Information Security Office | 510-885-4357(HELP) | iso@csueastbay.edu |