Use of Email Policy
|Policy Approval Authority||President|
|Responsible Division||Division of Information Policy|
|Responsible Officer(s)||Associate Vice President and Chief Information Officer, Chief Information Security Officer|
|Contact Person||Fred Williams|
|Last Review Date||04-23-2021|
University email services are provided as a tool to facilitate communication in the furtherance of academic and business endeavors. The purpose of this policy is to augment and supplement other University policies, to describe permitted uses of University email, and to describe when certain email features are required to be used.
The policy also notes that, under the Illinois Freedom of Information Act, 5 ILCS 140 (“FOIA”) and State Records Act, 5 ILCS 160, electronic/digital files are considered the same as paper files. Thus, university emails, both sent and received, are subject to record retention procedures and considered public documents subject to inspection, unless exempted by law.
Compliance with this policy helps NIU:
- Improve University email communications.
- Maintain compliance with various regulations.
- Implement appropriate email safeguards.
- Improve and strengthen NIU’s brand.
- Protect the University’s reputation
- Reduce the risk of data breach through email.
- Reduce the risk of compromised user accounts due to phishing.
- Reduce the risk of compromised computers due to malicious email.
This policy applies to all business and employment users of NIU email services. This includes, but not limited to university faculty, staff, affiliates, third-party support contractors, and all others granted access to NIU email resources for university use. This does not include student Z-ID email use. If a student is also an employee, this does include the use of the student employee email account.
All users of NIU email services bear responsibility for the appropriate use and protection of NIU email and the data therein. Based on job function and information classification categories defined in the Information Security Policy, some users have a greater burden of responsibility and accountability of data than others.
Table of Contents
- Official Email
- Email that constitutes University Records
- Privacy and Email
- Email Disclaimer and Encryption
- Reporting Email Incidents
- Personal Use and Acceptable Use
- Personalized Email Signatures
- Email Forwarding
- Automatic Replies
- Mass Email
- Commercial Messages
- Compliance and Responsibilities
All students and employees of the university are assigned an official university email account. The official university email account is to be used for all official University email correspondence. For example, official communications from University offices, such as the President’s Office, Human Resources, the Provost Office, the Office of Information Security, and others, will be directed to the official email account.
Accordingly, all users shall be presumed to have received all official University email messages sent to their official University email account and are themselves responsible for being aware of those communications.
If an individual has both a student and employee affiliation, the University may assign a separate email account for each affiliation. Email services should be provided only while a user is employed by or enrolled at the University. Exceptions may be granted for conditions such as email extensions for emeritus status, retirements, etc.
Email accounts that are granted to retirees will be a new email account that is separate from their prior official employee email account.
An email alias based on the individual’s name that is registered with the university, will be assigned to this official email account. The individual may request a change to their email alias, but that change must reflect their given or preferred name. The university reserves the right to reset any alias that does not meet these criteria. To learn how to request a change to your email alias, login to the Division of IT support portal at https://it.niu.edu and search the knowledgebase.
Email That Constitutes University Records
An email may be considered a “university record” as it may convey approval or denial of a decision, contain evidence of receipt or expenditure of funds, document the official position of the university, or otherwise evidence the official transaction of the business of the university. Therefore, it is important for employees to identify emails that constitute records.
Employees are required to preserve email content that constitutes a university record, in a manner consistent with records of a similar nature.
It is the responsibility of all users to review and follow the guidance on records management found at the link below.
Privacy and Email
The University’s policy on privacy in the electronic environment, including email, can be found at the link below:
Email Disclaimer and Encryption
For anyone that wants to convey a greater degree of confidentiality awareness within the text of an email, it is recommended that the following disclaimer be included in the email signature. For those including a disclaimer, the notice should appear directly below the personalized signature in 10pt Arial Regular dark gray font.
Disclaimer: This e-mail message, including any attachments, is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please inform the sender and destroy all copies of the original message immediately.
Please note that use of such a notice does not prevent discovery of the email for FOIA, legal or investigative purposes.
For departments or individuals that frequently communicate with or about sensitive or restricted information (see policies below), or that are bound by regulations like Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA) to enforce a reasonable degree of confidentiality for both internal and external recipients, it is recommended that those departments or individuals use the disclaimer together with O365 encryption options as appropriate.
Use of email to communicate restricted data to external third parties is strictly prohibited without appropriate security layers such as email encryption. Common examples of restricted information that require encryption in email include social security numbers, credit card numbers, student grades and education records, personnel records, individual donor gift records, financial records, and protected health information subject to HIPAA.
It is the responsibility of all users to review the information on how to use NIU’s O365 email encryption features here:
It is the responsibility of all users to review and follow the Information Security Policy and the Data Classification Guidelines.
Reporting Email Incidents
It is the responsibility of all users to report email incidents to the Office of Information Security. Email incidents include, but are not limited to, all types of phishing attacks, unauthorized access, or changes to your email account by a third party, accidental data disclosure to unintended parties, and all types of email threats of potential harm to person or property.
All email incidents or threats of a criminal nature that involve potential harm to person or property, which includes extortion, must be immediately reported to NIU PD by calling the non-emergency phone number 815-753-1212. If it is an emergency, please call 911.
All other email incidents must be reported to the Office of Information Security for investigation and remediation.
- Report phishing email by forwarding the email as an attachment to firstname.lastname@example.org
- Report all other email incidents by writing a description of the incident and sending it via email to email@example.com
It is the responsibility of all users to review the Information Security page for additional details about email security and current threats.
Personal Use and Acceptable Use
Official email services are provided to allow conduct of university business. Personal use of your official email account is not permitted, except for de minimis use. De minimis use may include occasional, sporadic use that does not interfere or detract from the performance of work responsibilities, and is not in violation of university policy, such as the engagement in prohibited political activity.
For more information on what constitutes prohibited political activity please review the Ethics and Accountability in the Workplace Policy
Due to the inherent risks of email use to university resources, data, and reputation, personal use is specifically discouraged for the following types of activities:
- Registering for and participating in personal social media services
- Registering for and participating in any other online service, platform, forum, or game used solely for personal use.
- Registering for and granting permissions of 3rd party personal use applications, to university O365 resources
Using a personal email account, or any other non-DoIT approved email system, to conduct NIU business is in violation of the Acceptable Use Policy. It is the responsibility of all users to review and follow the Acceptable Use Policy.
Retirees that have been granted a retiree email account, may use that account for personal use. Those retirees that continue to do important work for the university are bound by all applicable policies including this policy.
Personalized Email Signatures
The Division of Enrollment Management Marketing and Communications has created a standardized email signature template for all faculty and staff to use. A consistent branded email signature strengthens the university’s visual identity and supports wider branding efforts. The Northern Illinois University standardized email signature can be found at the link below and all signatures should conform with this standard.
For those including the confidentiality notice above, the notice should appear directly below the personalized signature in 10pt Arial Regular dark gray font.
Manual or automatic forwarding or moving university email that contains private or restricted information as defined by the NIU data classification guidelines, to any destination, internal or external, other than where it was originally sent is only permissible for valid business purposes and where appropriate security controls such as encryption are in place.
All employees should use department approved and standardized automatic replies when necessary. Automatic replies should direct the sender as to how they may be assisted while you are unavailable. Managers working with a departing employee will want to make sure an appropriate autoreply message is created for that departing employee’s email account.
Automatic replies should only be sent to internal email accounts unless approved by the department head. Automatic replies to external recipients should only state that you are unavailable and should direct the external recipient as to how to get assistance. Automatic replies to external recipients should not include details as to the duration, reasons, or whereabouts of your absence.
Mass electronic communications, by definition, are email sent in large quantities, and are recognized as an efficient, cost-effective, and environmentally-friendly use of technology for facilitating communication within the NIU community. Mass electronic communications messages can be sent to a list of email addresses or mobile phone numbers of a pre-defined target group.
The approval and distribution of all mass electronic communications, including surveys, shall comply with the policy on mass email communications which can be found at the link below:
All “commercial messages,” which are defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” must comply with the CAN-SPAM Act. The main requirements of the law are:
- Don’t use false or misleading header information.
- Don’t use deceptive subject lines.
- Identify the message as an advertisement.
- Include a valid physical postal address.
- Tell recipients how to opt out of receiving future email from you.
- Honor opt-out requests promptly, but no later than within10 business days.
- Monitor compliance with the law by other persons or entities who send commercial messages on your behalf.
For more information on CAN-SPAM, please visit the websites of the Federal Trade Commission.
Compliance and Responsibilities
It is the responsibility of all users to review and follow all university policies. Failure to comply with this policy may result in disciplinary actions, costly data breaches and damage to the university’s reputation.
Any questions regarding compliance should first be discussed at the department level. Questions that cannot be answered at the department level should be directed to DoIT via the IT portal at https://it.niu.edu
Procedural History of the Policy
Policy submitted 04/23/2021
- Policy Categories
- Board of Trustees
- Campus Safety / Security
- Ethics & Conduct
- Facilities / Real Estate
- Faculty & Academics
- Finance / Risk Management
- Governance / Administration
- Human Resources / Employment
- Information Technology
- Marketing & Communication
- Research Ethics / Intellectual Property
- Student Affairs
- Sponsored Funding/Grants and Contracts