OVERVIEW

Email is the mechanism for official communication for all members of the Lake Forest College community and is based on the lakeforest.edu domain UserID, which provides access to electronic resources (hereafter “e-resources”) and supports all business and instructional activities of the College. UserIDs, the messages stored within electronic mailboxes, and all other data stored within College IT systems are the legal property of the College, not the individual user who is assigned an account and provided access. Supported by modern IT security practices and regulatory compliance requirements, users should not have expectation of privacy in any communications transmitted from or stored on College information technology (IT) resources. As such, College IT systems and other e-resources should only be used for College business. Community members shall be held accountable for receiving, reading, complying with, and responding to official email communications from the College. Additionally, College community members bear responsibility for being aware of College policies and safeguarding Protected Information (PI) and other Covered Data of a confidential or sensitive nature in accordance with FERPA, GLBA, and all other applicable laws, regulatory acts, and institutional policy. Users seeking information about eligibility for email or other accounts, or details about when computing privileges are extended or terminated should consult the Eligibility for Accounts Policy.

1. PURPOSE

The objectives of this policy are to:

• Identify UserID naming conventions,
• Describe situations in which users’ email accounts may be accessed,
• Explain user responsibilities regarding the use of email,
• Set expectations for proper mass communication with College communities,
• Identify permissible and prohibited uses of email,
• Outline data protection concerns, and
• Establish guidelines for transfer of access.

2. SCOPE

This Policy applies to all members of the College Community (hereafter the “Community”) whether full- or part-time, including faculty, staff, students, alumni, contracted and temporary workers, hired consultants, interns, and student employees, as well as authorized guests and other members of the Lake Forest College community. (Henceforth collectively referred to as "Users.")

3. ACCOUNT NAMING CONVENTIONS

UserID account names for students and employees are customarily generated as follows:

• Student accounts are generated in the format of [last name] [two initials] @lakeforest.edu
• Employee accounts generally follow the format of [first initial] [last name] @lakeforest.edu, but some accounts lack the first initial.

In the event of unavoidable name collisions, numbers may be appended to the username portion of the UserID. (example: smithjb2)

Upon request, Information Technology Services (ITS) will change the full name and UserID associated with any student who has officially changed their name with the Registrar's office. The same policy holds for staff and faculty members who have officially registered a name change with the Human Resources department.

4. EXPECTATIONS OF PRIVACY

Members of the community should be aware that federal and state regulations mandate that Lake Forest College implement certain security measures to secure personal data which is classified as protected information. In addition to these requirements, the College also proactively aligns its practices with modern IT security standards, adopting robust measures that fortify our systems against constantly evolving threats. With these security controls in place, although the College does not examine files, messages, or other data on an individual basis without legitimate reason, users have no realistic expectation of privacy when using College e-resources. More details on this may be found in Section 7.1 of the Acceptable Use of Electronic Resources Policy. More information on College efforts to protect Personally Identifiable Information (PII) and other sensitive user data may be found in the Data Privacy Policy and the Governance & Compliance Policy.

5. PERSONAL RESPONSIBILITIES

Lake Forest College email accounts are the main conduit for official communications, and users are expected to read, comply with policy and directives, and respond as needed to official email communications from the College during their tenure with the institution. Users having problems with email access should immediately contact the ITS Service Desk at: (847) 735-5544 or servicedesk@lakeforest.edu. Users are also expected to communicate in an appropriate manner consistent with the College Acceptable Use of Electronic Resources Policy y at all times. Additionally, the following responsibilities lie with the user to protect Lake Forest College data and maintain regulatory compliance:

• A community member’s failure to receive or read official communications sent to the user’s official email address in a timely manner does not absolve the user from knowing and/or complying with deadlines, requirements, and safety recommendations, as communicated by the College.
• Users are prohibited from automatically forwarding or conducting official College communications using external e-mail providers. All College business shall be conducted using the official communication platforms acquired and managed by Lake Forest College.
• Users are prohibited from accessing College email through third-party email, calendar, or contact management applications (e.g., Apple Mail, Gmail, or similar non-Microsoft clients.) Such practices result in College data being stored in unauthorized cloud environments or on personally owned, unmanaged devices, which compromise College data security and compliance efforts.
• Employees (faculty, emeriti, and staff) may use or distribute work-related email or other electronic communication platforms only as is appropriate in the performance of the employee’s work responsibilities. The College IT systems should not be used for personal matters.
• Personal Information (PI) and other data classified as protected or confidential shall not be transmitted by employees in unencrypted email or other unprotected electronic communication methods. Users are expected to handle protected and sensitive data appropriately and shall keep it suitably encrypted to protect the information in use, in transit, and at rest. More information about PI may be found in the Lake Forest College Information Security Policy.
• Email efficiency is critical to the business functions of the College. Users of the Lake Forest College email system shall regularly delete unnecessary emails to avoid wasting College resources.

6. MASS EMAILS / DISTRIBUTION LISTS

For clarity, it is useful to define two classes of mass email distribution lists, the “official” College-approved lists and “user-owned” private lists. While the policies/procedures below specifically address use of distribution lists maintained on the Lake Forest College Exchange Online, Jenzabar One Communication, and Technolution's Slate services, they should also be viewed as guidelines for privately maintained lists as well.

The College-approved mailing lists are “official” in that they are derived directly from the Human Resources and Student Administration databases; all such addresses are included, there is no “opt-out” mechanism, they are strictly managed by ITS, and only authorized individuals may send materials to these lists. Official mailing lists may be created on behalf of faculty, staff, or student organizations upon request. The person responsible for the ongoing management of a “user-owned” or “department-owned” official mailing list is known as the “list owner.” If the list owner leaves the College, then the current list owner or their supervisor must find a new list owner and identify that new person to ITS. If no new list owner is identified, the mailing list will automatically be eliminated after the list owner's account is disabled. Student organizations wishing to communicate with a wider campus audience should consult with their faculty or staff sponsor regarding best practices and procedures. Additional information for these organizations and their sponsors may be sought from the Office of Campus Life.

Policies regarding mailing lists are as follows:

• If there is reason to believe that a mailing list will be used for illegal purposes, that list will not be established. If it is operational, it will be disabled after consultation with College administration.
• All mailing lists are subject to all College e-mail policies. Other than official College-approved lists, which may include department mailing lists, class lists, etc., individuals should not be pre-subscribed to mailing lists without their knowledge or permission. Subscribers who request to be unsubscribed from a list should be promptly removed.
• Private user-owned mailing lists will not be created by ITS from College databases. Private list owner(s) or designated group members are responsible for subscribing or unsubscribing members to the list.
• List owners are responsible for properly managing their list. The responsibilities of list owners include:
  • Advising individuals who will be pre-subscribed to the list of the list's purpose and how to unsubscribe themselves.
  • Responding to subscribers requests for removal from the list.
  • Assisting subscribers with subscribing or unsubscribing to the list.
  • Correcting subscriptions that are made incorrectly or in error.
  • Configuring or re-configuring their lists to change list attributes such as ownership, open/closed list status, moderated/un-moderated status, etc.
  • Creating and maintaining current and relevant files such as the subscribers, aliases, news, peers, ignored, info, or welcome files.
  • Responding to errors related to their list such as delivery and remove errors.
  • Responding to requests made by the listserv manager.
• Mailing list behavior or other mass communications which are disruptive to campus or damage the reputation of the College are prohibited. Such mailing lists and the user’s account may be disabled and disciplinary actions taken as needed.
• Membership to a mailing list is not a right of the individual. List owners have the right and are responsible for unsubscribing list members who abuse a list by sending off-topic mail to the list, misuse or abuse the resource, or are abusive of other list members. The list owner is responsible for determining what constitutes off-topic or abusive mailings. The Vice President for Information Technology and Chief Information Officer (VPIT/CIO), the Director of Enterprise Systems, and/or the Senior Systems Administrator may determine if mailings are abusive. Escalation procedures for disagreements regarding the interpretation and application of this policy should be escalated through appropriate College channels, i.e., the Office of Campus Life, the Krebs Provost and Vice President of Academic Affairs, etc., who may address concerns with the VPIT/CIO. Abuse of a list should be brought to the attention of the VPIT/CIO and/or other College authorities.
• Mailing lists will be periodically reviewed for activity on an annual basis; lists that are inactive or fail to conform to policy will be removed. List owners will be contacted prior to the list being removed if ITS staff are uncertain about its status. If an owner is unable to be contacted, the list will be removed.

7. RECIPIENT LIMITS

A maximum limit on the number of individual recipients on a given email message must be placed on users to facilitate early detection of phishing attacks against other members of the College community and to limit the number of users who may be affected. All users will be limited to 50 individual recipients per message.

8. TRANSFER OF ACCESS

If a user is on leave from employment at Lake Forest College, for any reason, a manager may request delegated access to that individual’s account for business continuity purposes. Managers will need to outline to the VPIT/CIO why delegated access to a user’s account is warranted, and to the extent possible, access will be tailored to the need. Individual account passwords will not be shared nor provided by any member of the community.

Additionally, managers may obtain delegate access to an individual’s email account upon termination of employment for business continuity purposes. In these instances, the manager will be granted delegate access for a period no greater than 30 days after an employee’s last day of employment. Exceptions will be made on a case-by-case basis for compelling business rationales. Upon conclusion of this period, the account and its contents will be deleted.

9. ACCESS AFTER TERMINATION/SEPERATION

Employee account access after end of employment is not permitted to comply with laws, regulations, institutional policy, and software license agreements. Students’ legal guardians will not be provided access to student’s account to comply with FERPA. In the case of death of any constituent, account access will not be provided to third parties, family, or anyone else unless there is a legal order to do so.

In all cases, no person may retain a copy of any private or confidential material or electronically stored information upon departure from the College. Individuals accessing or sharing this material unlawfully can be prosecuted to the full extent of the law.

RELATED POLICIES:

• Acceptable Use of E-Resources Policy
• Information Security Policy
• Eligibility for Accounts Policy
• Student, Faculty, and Staff Handbooks

Document Control: