Responsible Use of Electronic Files and Communication

Policy Purpose
Computers and network systems offer powerful tools for communication among members of the Eastern Mennonite University (EMU) campus community and of communities outside of the university. When used appropriately, these tools can enhance dialogue and communications. Unlawful or inappropriate use of these tools, however, can infringe on the rights of others. The university recognizes the complexity of deciding what constitutes appropriate use of electronic communications services. What is appropriate or inoffensive to some members of the community may be inappropriate or offensive to others.

Policy Statement
Members of the campus community are expected to be judicious in their use of technology resources. These resources must never be used for unsanctioned commercial activities, theft, fraud, invasions of privacy, distribution of illegal materials or distribution of copyrighted or licensed materials without appropriate approval. Individuals bear the responsibility to avoid libel, obscenity, undocumented allegations, attacks on personal integrity and acts of harassment.

The university may restrict the use of its computers and network systems for electronic communications in response to complaints presenting evidence of violations of other university policies or codes, or state or federal laws. Specifically, the university reserves the right to limit access to its networks through university-owned or other computers, and to remove or limit access to material posted on university-owned computers.

Data Protection and Preservation

Cloud computing services (like personal email accounts, Dropbox, Evernote, and iCloud) and personal devices that store data (like laptops, smartphones, tablets, USB drives and SD cards) pose unique challenges for institutions. Staff and faculty appreciate these devices’ and services’ ease of use, low cost and ubiquity. But cloud services and personal devices also move EMU data beyond the institution’s control, creating the opportunity for data theft, data breach and data loss.

Faculty and staff desiring the convenience of cloud services are strongly encouraged to use EMU’s Google Drive system

To mitigate this risk:

• Confidential data—financial, employment, educational and health records, etc. (see below for further examples)—must not be stored in personal cloud services or personal devices. Storing confidential data in personal cloud services or on personal devices is grounds for disciplinary action up to and including termination of employment.
• Non-confidential institutional data must not be stored only in personal cloud services or personal devices. We recommend storing data on network drives and copying only working files to cloud services, and then only temporarily. Information Systems is not responsible for data lost in cloud services.

Examples of confidential data possibly stored within electronic or physical systems at EMU include:

• Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual’s identity such as name and address in conjunction with social security number, biometric records, ID number, birth date, place of birth, mother’s maiden name.
• Financial: Budgets, payroll data, account and transaction information, credit card numbers.
• Employment: Personnel records, employee evaluation forms, disciplinary records.
• Educational records: Records directly related to a student and maintained by an educational agency or institution such as enrollment records, transcripts, grades, attendance records, student ID number, disciplinary records6.
• Health: Any information, recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Privacy of Electronic Files and Communications

EMU recognizes users’ reasonable expectations of privacy in information technology data generated automatically by computer systems and by voice and data network devices.

Therefore, Information Systems (IS) management will disclose EMU systems data only under the following circumstances:

1. In response to a court order or other legal papers.
2. In the investigation of a legal or policy violation.
3. In the event of a health or safety emergency.
4. In specific instances of reasonable requests in the interests of the university, such as collaborative research with other institutions.
5. To service providers of campus information systems, with appropriate contractual safeguards.
6. To maintain the operation and security of the campus network.

All requests for EMU systems data must be submitted through Information Systems leadership, who will forward these requests to the provost, director of human resources or vice president for student life, as governed by this policy.

Description of Private Files

Electronic files stored on an individual's computer or in a folder on a file server where access is restricted to an individual’s account are considered private and are to be viewed only by the original creator of the files unless otherwise designated by the creator. Access to such files by others is prohibited without just cause.

Faculty and staff should take steps to ensure that documents necessary to the operation of the university are available to those who may require them.

Email messages are considered private, to be viewed only by the original sender and designated recipient(s). Access to messages by others is prohibited without just cause or permission.

As a matter of principle and ethics, individuals bear the responsibility for assuring that email messages, including attachments and previous appended messages, are forwarded only to parties whose interest is consistent with the purpose of and intent of the previous correspondents. If in doubt, obtain the consent of the original correspondents before forwarding.

Faculty, staff and students should be aware of the following considerations:

1. Data storage and electronic communications are not perfectly secure. There are software and physical limitations that can compromise security. IS tries to minimize such exposures, but risks exist.
2. Mail delivered outside of the university is notably insecure and should be treated like a postcard. It is possible that mail received by individuals may be redirected (forwarded) to another internet site off-campus. Unless you know that the intended recipient of an email message has not redirected mail to an off-campus site, you should assume the possibility that others may see the content of the message.
3. Deletion of files or email messages does not guarantee the inaccessibility of those files and messages. Centrally maintained file-storage systems and email systems are archived regularly. These backup procedures store files and email messages in multiple off-site locations. Thus, even deleted files and email may be available from backups taken months or even years earlier.
4. Information security depends upon individuals keeping their password secure. Anyone issued EMU electronic systems account(s) must have difficult-to-guess passwords and must not share these passwords with others. Guidance for choosing a password is available at helpZONE. Employees are required to enable 2-step authentication on their Google account.
5. Many off-campus internet sites may record information you provide and divulge this to others without your prior consent. In some circumstances, information about you, your activities on the remote site, and information about your computer may be recorded without your knowledge. Some remote Web sites may store information on your computer in the form of hidden files or "cookies." Caution and prudence are advised when providing any information you would consider confidential to unknown third parties.

Access to Private Files or Email Messages for ‘Just Cause’

Access to another individual's electronic files or email messages on EMU systems is permissible only if there is just cause in the following situations:

1. If the creator of the files, or the sender/recipient of email messages, has granted specific permission for another individual or individuals to view designated files and messages.
2. In the event of a system disruption, authorized IS staff may review email messages and/or files to determine ownership and assign access.
3. In cases of suspected violations of university policies, especially unauthorized access to EMU systems, Information Systems leadership may authorize detailed session logging and/or limited searching of user files to gather evidence on a suspected violation.
4. In the event of a situation involving a member of the campus community which renders them unable to access files or messages considered essential for the continuation of university business, another individual may access the individual's electronic files and communications under the procedures set forth in the Emergency Access to Electronic Files and Messages section below.
5. In the event of a need-to-know emergency (e.g. suicide or homicide threat), access to an individual's files or messages will be governed by the procedures outlined in the Emergency Access to Electronic Files and Messages section below.
6. In the event that a local, state, or federal law-enforcement authority in the investigation of a crime, civil litigation, or regulatory proceeding produces a subpoena, discovery request, or warrant granting access to files or messages, following the procedures outlined in the Emergency Access to Electronic Files and Messages section below.
7. In the event of a financial or legal audit, following the procedures outlined in the Emergency Access to Electronic Files and Messages section below.
8. In any other instance, no access is granted to an individual's electronic files or messages without prior review and approval by the appropriate body as indicated in the Emergency Access to Electronic Files and Messages section below.

Emergency Access to Electronic Files and Messages

Emergency access to another individual's electronic files and messages is granted only under conditions noted in the Access to Private Files or Email Messages for ‘Just Cause’ section above.

Before invoking any such procedure, the circumstance creating the need for access shall be reviewed in a timely fashion, access shall not take place without approval, and specific procedures and strictures may be recommended for each circumstance. The persons involved in the review and approval process will vary depending upon the individual involved:

• The provost will assume review and approval responsibility in cases involving a faculty member.
• The director of human resources will assume review and approval responsibility in cases involving a staff member.
• The vice president for student life will assume review and approval responsibility in cases involving a student.

The IS department will work with the individuals mentioned above to determine if the needs of the university or third party requesting access outweigh the privacy concerns of the individual.

Persons directly examining files and messages on the individual's computer, mailbox or file-server space shall not include the individual’s supervisor, adviser or teacher. Only the specifically requested file(s) or message(s) made by the requester shall be accessed.

The student, staff or faculty member will be notified that access has been granted to their files or messages unless there is sufficient and compelling reason not to have done so.

No other files or messages may be copied, transferred or forwarded.

IS personnel charged with the administration of EMU's technology systems and file servers take their obligations to protect individuals' privacy very seriously. The professional standards consistent with positions that require select individuals to have access to personal and sensitive information are strictly enforced. In accordance with general university policy, inappropriate use, access or sharing of confidential information is grounds for disciplinary action up to and including termination of employment and/or civil or criminal prosecution.

Copyright Protected Electronic Content

All members of the campus community must adhere to the provisions of the Digital Millennium Copyright Act (DMCA) and the US Copyright Law (Title 17, U.S. Code). Copyright is a form of legal protection for the creators of original works that include literary, dramatic, musical, artistic, filmed and other intellectual products. Copyright owners have a number of rights under current federal law that includes the right to control the reproduction, distribution and adaptation of the work, as well as the public performance or display of the work.

Copyright exists, without the need for a specific notice, in any original work which exists or is part of any perceptible medium of expression. These works may be displayable on computer screens. Computer software, music, books, magazines, scientific and other journals, photographs and articles are some of the things subject to copyright.

Subject to certain exceptions, it is a violation of copyright law to copy, distribute, display, exhibit or perform copyrighted works without permission from the owner of the copyright. Both copying and distributing are, by definition, components of electronic transmissions. Downloading music or displaying photographs without specific permission of the copyright owner is likely a violation of the DMCA.CAN

Under the DMCA, EMU is permitted to immediately take down any infringing site/computer on the EMU network and block access to any infringing sites on other networks, upon proper notice from the copyright owner or upon actual knowledge of infringement.8

If EMU receives notification from a copyright owner or its agent alleging that a DMCA infringement has occurred, the following actions will be taken.

DMCA Violation Allegations Involving Students

IS will research the alleged violation and determine whether the offending address was present on the network at the alleged date and time. Information linking a specific device and corresponding user will be used to identify the person responsible for that device.

IS will suspend the student's internet access. This will prevent file sharing while allowing them to access EMU resources. If, while the student’s internet access is suspended, another user account authenticates the computer to the internet the owner of that user account will be subject to the same Student Life procedures as the student with the suspended user account.

Student Life will meet with the student to explain the situation and require that the student remove the peer-to-peer software and infringing content.

IS will restore internet access after the student has removed the peer-to-peer software. The student will need to bring the computer to the IS Help Desk for confirmation that the software has been removed.

The first incident will be recorded in their Student Life file as a “warning” only. Subsequent incidents will be recorded in their Student Life file as infractions and the student will need to pay $25 to have internet access restored.

DMCA Violation Allegations Involving EMU Employees

IS will research the alleged violation and determine whether the offending address was present on the network at the alleged date and time. Information linking a specific device and corresponding user will be used to identify the person responsible for that device.

IS will contact Human Resources and turn the allegation notification and information developed from the research over to them. Human Resources will handle the matter as a personnel disciplinary incident.

Mass Electronic Mailing – to Off-Campus Audiences

The following procedures apply to anyone sending mass electronic messages to groups of recipients whose email addresses include domains other than emu.edu.

SPAM CONTROL

The sender must be mindful of and respect provisions of the CAN-SPAM Act of 2003. There may be state laws that also apply to mass mailings.

While definitions vary, it is commonly accepted that for purposes of anti-spam legislation, an unsolicited commercial email is any electronic message, the primary purpose of which is the commercial advertisement or promotion of a commercial product or service. Transactional or relationship messages, such as EMU announcements, and messages requested by or consented to by the recipient, are not considered unsolicited commercial email.

While it is likely that most mass electronic mailings sent on behalf of EMU would not technically be covered by the CAN-SPAM Act of 2003, in the spirit of being good email stewards the characteristics of CAN-SPAM compliant messages should be strongly considered for all EMU mass electronic mailings. The following table lists these characteristics along with compliant and noncompliant examples.

Compliance Checklist for Unsolicited Commercial Email Messages