This document defines and clarifies policies and procedures where UW-Whitewater's Acceptable Use Policy, and other existing laws and organizational policies, do not specifically address issues particular to the use of individually-owned email accounts. This policy applies equally to transactional information (email headers), the content of the message, and attachments. Email use is also governed by all policies that apply to the use of all UW-Whitewater facilities.
In support of instruction, research, and administrative functions, UW-Whitewater provides a campus email system to share information, to improve communication, to transact university business, and to exchange ideas. E-mail is considered an official means of communication for the members of the UW-Whitewater community.
UW-Whitewater has the need to send communications to students and employees via e-mail and the right to expect that those communications will be received and read in a timely fashion UW-Whitewater respects the privacy of users. UW-Whitewater recognizes that academic freedom and freedom of speech are important aspects of the campus email policy. UW-Whitewater does not routinely inspect or monitor email. However, UW-Whitewater may deny access to the campus email system and may inspect, monitor, or disclose email when circumstances indicate such action is necessary. As such, there should be no reasonable expectation of complete privacy. The campus email system is provided as a communication tool for faculty, staff, and students for purposes that conform to this policy; email accounts are created automatically when an employee is hired or when a student attends a preview and/or transfer registration session, and is enrolled in at least one course. Associates and groups associated with UW-Whitewater are eligible to request a campus email system account include, but are not limited to: emeriti faculty, exchange students, participants in educational programs, contractors, independent consultants, official campus student organizations, and departments.
The campus email system's intended use is as a messaging tool and not a file sharing system. Appropriate use includes sending brief messages between two or more individuals, and exchanging small university business-related documents.
Users of campus email shall act in a professional and responsible manner when using the campus email communication system, both in regard to communications with members of the university community and other individuals or groups. Mass emails intended for large segments of UW-Whitewater such as all staff, faculty, or the entire student body, must be sent to the Campus Announcement Board; it is then up to the discretion of the University Marketing and Communications office, whether to the communication is appropriate for mass distribution.
The campus email system may be used for incidental personal purposes provided that such use does not:
For more information regarding the expected behavior of campus technology users, click here.
Allegations concerning the misuse of the campus email system involving an employee should be communicated immediately to the appropriate supervisor or college dean. Allegations involving students should be communicated immediately to Dean for Student's Office.
Access to the campus email system may be wholly or partially restricted by UW-Whitewater without prior notice and without the consent of the email user when or if:
The email user will be notified of the reason and duration of the access restriction as soon as possible. It may take up to 2 business days for email access to be restored.
UW-Whitewater attempts to provide a secure and reliable campus email system. However, such professional practices and protections are not infallible and the security and confidentiality of campus email system cannot be guaranteed. Furthermore, administrators of the campus email system have no control over the security of email that has been downloaded to a user's computer. Users of the campus email system are expected to take appropriate security measures. Users should take proper precautions in keeping passwords confidential.
In order to prevent a practice known as "spoofing", UW-Whitewater will block all emails indicating that they were sent from UW-Whitewater email addresses that do not originate from UW-Whitewater email servers. Exceptions may be granted based on need and available technology. The University of Wisconsin-Whitewater also reserves the right to scan, using an automated system, emails sent from outside the UW-Whitewater email servers for words or phrases, file types, and other potential threats that could compromise the security and/or integrity of the campus network. Incoming emails that contain traits consistent with potential threats to the user or campus network, may be modified for the purpose to warn the recipient of the potential threat, as approved by the UW-Whitewater Executive Tier Committee on March 16, 2015.
As a means to educate the campus community of potential threats to user privacy and to protect the security of the shared campus network, UW-Whitewater may send email messages to members of the campus that imitate commonly-used cyber security threats. These educational events will be communicated to the campus community through a campus announcement and/or ICIT website, prior to implementation. Some users may be asked to participate in security training based on the results of the exercise.
ICIT is responsible for the security and protection of the campus email account and related networking systems. Viruses and phishing scams are designed to infiltrate the campus network in order to cause harm to all members of the campus community. When a user inadvertently downloads a virus or shared credentials in a phishing scam, the threat needs to be mitigated immediately to prevent further impact. As a result of the resource-intensive mitigation process, other essential campus projects and needs are put on hold to address the immediate threat.
High risk users are individuals who engage in conduct that creates a security risk or potential breach of security to their own campus account and/or other campus email users on two (2) or more occasions, creating an elevated risk. This results in a cost to the UWW to increase technological modifications and safety measures to ensure network security.
In accordance with Board of Regent Policy 25-3, UW-Whitewater employees and students are required to use their campus accounts and internet access in a manner that complies with Regent Policy 25-3 and the UWW Email Policy and Network Use Policy.
Using a campus email account in a manner that has the potential to compromise the security and protection of either the UWW electronic network system or email system is considered a serious data security concern that requires immediate action to eliminate the threat and prevent a breach or disclosure of personally identifiable information of a user and/or unauthorized access to the UW-Whitewater network system.
Any employee or student who uses their campus account in a manner that is considered a security risk, such as responding to phishing scams and/or downloading a virus, shall be required to complete a mandatory online network security training program within ten (10) calendar days upon notification from ICIT and/or their supervisor. Failure or refusal to complete said training may result in disciplinary action as noted below and/or immediate suspension of all email privileges until said training is completed and/or ICIT approval is reinstated. Further actions that create a security risk or breach of the campus email system may result in permanent removal of all email privileges and/or disciplinary action, up to and including dismissal from employment. Any incident of a violation of this policy shall be documented in an employee's personnel file notwithstanding whether disciplinary action is taken.
Employees: In the event an employee is determined to be high risk, ICIT will contact the Office of Human Resources & Diversity, and the employee's supervisor, to inform them of the policy violation. Human Resources and the employee's supervisor will determine disciplinary actions according to policies and procedures. Human Resources will then consult the appropriate campus administrator, as outlined below, prior to implementing any disciplinary action. The timeline and process for reinstating lost privileges that result from disciplinary action will be at the discretion of the Human Resources office and the campus administrator being consulted.
Students: In the event an enrolled student is determined to be high risk, ICIT will notify the Dean of Students of the policy violation. The Dean of Students will determine appropriate disciplinary action for students determined to be high risk. The timeline and process for reinstating lost privileges that result from disciplinary actions will be at the discretion of the Dean of Students.
Disciplinary measures will be conducted in consultation with the appropriate campus administrator, outlined below.
|Email User Status||Administrator|
|Faculty & Academic Staff||Provost and Executive Vice Chancellor for Academic Affairs|
|University Staff, Employee or student in capacity as a staff Employee||Vice Chancellor for Administrative Affairs
The University occasionally sends out emails that simulate phishing, and other common email scams, in an effort to test security, and train employees. If an employee demonstrates a pattern of compromises through these simulated exercises, they may be considered high risk if the pattern of compromises is considered egregious.
Examples of what is considered egregious:
Any written communication, including emails, that is created or maintained as a part of an employee's official duties or functions is considered an official record of the university and subject to collection and disclosure as necessary for university business or pursuant to laws, policies or litigation. Employees do not have privacy rights to such records nor should an employee assume that any record created or maintained on the university's network or server is private or confidential. Any private or confidential communication that is created or maintained on the university's network or server may be subject to the applicable state and federal laws related to public records and privacy rights, Board of Regent policies, System Administration policies and university policies.
As a part of operational services and management, designated ICIT postmasters may collect and review communications on the university's network or server based on a legitimate business or administrative need, such as evaluation of system security, security risk, violation of law or policy, or other legitimate reason.
Except as noted above, UW-Whitewater shall only permit the inspection, monitoring, or disclosure of email without consent from the account owner when authorization for such access has been obtained in writing by the appropriate authorizing official based upon the chart below. Once authorization is obtained, the actual inspection, monitoring, or disclosure of email will be executed with the least action necessary to resolve the situation. This authority may also be exercised by the Chancellor or Vice Chancellor without regard to the status of the affected individual. The authorization shall be in writing and shall be based on a request submitted in writing.
|Email User Status||Administrator|
|Faculty & Academic Staff||Provost and Executive Vice Chancellor for Academic Affairs, after consulting with the UW Legal Counsel and with the written notice to the Chair of the Faculty Senate/Academic Staff Assembly, may authorize the department/unit head or Dean.|
|Student (not acting in a capacity of a Staff Employee)||Vice Chancellor for Administrative Affairs, after consulting with UW Office of General Counsel, may authorize the Dean of Students.|
|University Staff, Employee or Student in a capacity as a Staff Employee||Vice Chancellor for Administrative Affairs,, after consulting with the UW Office of General Counsel and/or UW-Whitewater Office of Human Resources & Diversity, may authorize the department/unit head or Dean.|
The Wisconsin Public Records Law, Wis. Stat. §§19.31-19.39, authorizes requesters to inspect or obtain copies of official records created and maintained by government authorities. As a public entity, the UW-Whitewater is subject to the provisions of this Law. Email communications that are received, created and/or maintained in an official capacity as a part of University business are considered official records and subject to disclosure, similar to a written or printed document. The Law only applies to records that exist at the time of the request. Email messages retained in an employee's inbox (either on the server or on your workstation) are considered readily available and may be subject to disclosure, subject to any applicable fees. This may include emails that contain official University business, even if located on a private email account. In accordance with federal law, emails that contain student educational information that is protected under the Family Educational Rights and Privacy Act (FERPA) or other privacy interest may be exempt from disclosure.
If a court order or other lawful subpoena is received that requests email communications, please notify the UW System Office of General Counsel immediately. In accordance with the UW System Record Retention Policy and Schedule, official records, including email communications, must be retained per the retention schedules and/or litigation hold directives. Any employee who deletes any records, including email, to avoid a public records request or subpoena may be subject to disciplinary action, up to and including dismissal.
The campus email system is backed up solely for the purpose of restoring the entire electronic mail system in the event of a disaster or system failure. Backup files may not be used for restoration of individual mailboxes and may not be used as a convenience to retrieve "deleted" messages. Backup files do not serve as a records retention function. Each employee/department must make provisions to retain documents and messages in accordance with their departmental records retention policies or practices. The retention requirement associated with any document is determined by its content, not the method of delivery. The responsibility of retaining an internally created and distributed document (or message) is held by the creator of the document, not the recipients. Recipients may delete such received messages when their use has been fulfilled.
Global policies are maintained to set guidelines expected behavior of all campus community members while using shared network and computer resources.