Policy Statement
Business provides a centrally-managed email service to employees, subcontractors, partners and affiliates for the purpose of conducting business. While incidental and occasional personal use of email is permissible, personal communications and data transmitted or stored on Business information technology resources (such as email) are treated as business communications, and are subject to automated surveillance by security systems managed by the Information Technologies & Services (ITS).
Reason for Policy
Business is legally responsible to protect confidential information, including that contained in email. Business email systems comply with appropriate security standards. Because Business cannot guarantee the security of external systems, Business reservers the rights to prohibit the use of automated email forwarding and requires encryption for any email message containing confidential information that is sent outside the Business network.
Who Should Read this Policy
All users of Business.
1. Principles
Certain information such as protected health information (PHI), personally identifiable information (PII), or financial records are confidential and must be treated with extreme care to avoid inappropriate disclosure that could lead to exposure of risk to Business and its affiliates. A complete list of all data considered confidential by Business is available in the ITS – Data Classification policy.
While the Business permits generally unhindered use of its information technology resources, those who use Business information technology resources do not acquire, and should not expect, a right of privacy. Business users should not expect that personal communications will remain private and/or confidential. Automated email surveillance systems are in place to identify data that appear malicious in nature (e.g., viruses, spyware) or contain confidential information (e.g., protected health information and personally identifiable information) for further investigation.
2. Email Account Owner Responsibility
Business provides a centrally-managed email system to employees, subcontractors, partners and affiliates for the purpose of conducting business. No additional email systems are permitted without approval of the Business Owners.
Business-supplied email accounts are unique and assigned to an individual for communication pertaining to Business. Except in cases approved by Business Human Resources, these email accounts are not transferrable to other users. Access to Business's email system requires certain responsibilities for the account holder, including, but not limited to, the following:
- Do not share your email account password with anyone
- Use delegation, where appropriate, if another user needs access to your email.
- Do not use email to harass others.
- Do not falsify email accounts to send out email as another person.
- Do not flood/spam people with email in an attempt to disrupt their service.
- Do not accept credit card numbers sent in email for payment purposes.
- Do not create rules that enable automated forwarding to non-Business email accounts.
- Do not send confidential data to any party via email without using encryption.
- Do not use personal email addresses, such as Gmail or Yahoo!, for work-related communications.
3. Public Display of Email Addresses
As defined in the ITS – Data Classification Policy, Business email addresses are not considered confidential data. Business email addresses themselves are not confidential information. A customer's email address is considered an identifier that could link to Privacy Act 1988.
4. Email Attachment Policy
In order to align Business with generally accepted email standards, ITS limits the size of all outgoing and incoming email messages, including attachments, to 25 megabytes (MB). Many email systems cannot receive large emails and often do not provide feedback to the sender that the system has rejected the message. By aligning with the industry common practice of limiting email sizes, users should have a higher success rate in sending and receiving email. If attachments larger than 25 MB need to be sent via email, Only Approved Business's File Transfer Service should be used where appropriate e.g. Dropbox, OneDrive, GoogleDrive.
5. Transmission of Confidential Data
Any data considered by Business to be confidential in nature that must be transmitted via email shall utilize encryption when sent over an insecure network and shall only be sent to recipients that have a legitimate need for the information.
- Internal Recipients - Email sent within Business's network is considered to be contained within a trusted secure environment. Business's network includes addresses ending in @business.com.au. While an explicit encryption service is not required for data sent to these recipients, it is still strongly recommended to utilize Business's Approved File Transfer Service when sending large attachments containing confidential data.
- External Recipients - Email containing confidential data that is sent outside of Business's network (as defined in the previous section) must use encryption. To securely send large attachments to external recipients, Business's Approved File Transfer Service shall be used; however, only the attachments will be encrypted and no confidential data is to be referenced within the subject or body of the message.
- For entities performing services or functions on behalf of Business (e.g., a transcriptionist, answering service, etc.) that involve the exchange of confidential data, a Business Associate Agreement (BAA) shoudl be established and encryption must be used to safeguard the message contents.
- Email Confidentiality Notice - Individuals transmitting confidential or high risk data may add a confidentiality notice to the footer of their email in order to notify the recipient of the sensitivity of the data contained within the message. The following language is recommended for use in an email signature:
Confidentiality Notice: This email transmission, and any documents, files, or previous email messages attached to it, may contain confidential and/or privileged information and may be legally protected from disclosure. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, please contact the sender by reply email and destroy all copies of the original message, including any attachments. - Email Forwarding - Automated email forwarding for active Business users is permissible under certain circumstances to qualified affiliate domains. Any requests to allow forwarding must be approved by Business ITS and Business Owners.
- Email Account Delegation - Delegation occurs when an email account owner (the “delegator”) grants permissions to another user (“the delegate”) to access the owner’s email, calendar, and/or contacts. Delegation is not permitted by sharing passwords or logging in to the account for the delegate to use – the delegate must be using his/her own account. Delegators have the ability to set variable permissions to the delegate, such that the delegate has the ability to only read emails or also create emails on behalf of the delegator.
- Delegation is only to be used in situations where an assistant or coworker needs access to a mailbox account that are in the confines of the delegate’s job responsibilities. The delegator is responsible for ensuring that the delegate’s permissions are appropriate and consistent with his/her job description and training.
6. Email Account Retention
The Business reserves to right to retain mailboxes of employees, subcontractors, partners and affiliates for the purpose of reference and regulatory obligations.
7. Email Forwarding
Active Business users who wish to have their email forwarded to another account must submit a request to ITS support. The request should contain the desired forwarding account, a valid business justification, and the length of time the email should be forwarded. The request will be submitted to the business owner for approval.
8. Related Documents
The following documents are also relevant to this policy:
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article