Guidelines on use of e-mail and instant messaging
E-mail and instant messaging/chat applications are useful communication tools for conducting University business. E-mail and instant messages created and received by University employees in the course of their work are also University records to the same extent as information in other media, such as electronic and hard-copy documents.
- Once you send or forward a message you have no control over what a recipient may do with it. This can lead to the unintended disclosure of personal information or confidential information. Be prudent about messages that you create or forward and what you attach to those messages. Be objective and factual in what you write and avoid recording unsubstantiated or subjective comments.
- Avoid use of e-mail and instant messaging to transmit sensitive personal or other confidential information. If you must use e-mail or instant messaging to communicate such information, consider how to minimize the consequences of unintended disclosure (e.g., by disclosing only some information or by deleting personal identifiers).
- Communicate confidential information to individuals by using only those technologies endorsed by IST Information Security Services in their Guidelines for secure data exchange.
- When your e-mail or instant messages contain personal or other confidential information:
- verify the addresses and names of recipients
- avoid using “reply to all” features
- for e-mail, include the following statement at the bottom of the message, following your signature block:
"The information in this message, including any attachments, may contain confidential or personal information intended only for the person(s) named above and that may be subject to the provisions of the Freedom of Information and Protection of Privacy Act or other applicable privacy legislation. Any other distribution, printing, copying or disclosure which is not necessary and proper in the discharge of the University's functions is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete the original transmission from us, including any attachments, without making a copy. Thank you.”
- Messages sent over the internet are vulnerable to privacy breaches or unintended disclosure. University employees are expected to use university-provided technologies for work-related e-mail and instant messages.
- Messages and their attachments of continuing value for administration or for corporate memory should be stored in a manner that protects their confidentiality and facilitates retrieval by others authorized to access the information. For example, in a suitably named folder in SharePoint.
- Regularly dispose of messages that are transitory records, of only short-term, immediate or no value, except those which relate to a Freedom of Information and Protection of Privacy Act (FIPPA) access request or an ongoing legal dispute. The Privacy Officer or the General Counsel will notify you when messages should be retained because of a FIPPA request.
Chat & Work in MS Teams & Other Applications
- The use of instant messaging/chat has increased significantly with the implementation of Microsoft Teams, supporting private one-to-one chat, group chat involving numerous individuals, and the sharing of digital files and links to other information resources via chat exchanges.
- As the name implies, chat applications are intended primarily for informal exchanges, not for carrying out work tasks with longer-term records retention requirements. An exception would be specialized chat tools – for example, chat features available in customer relationship management systems – that have been reviewed under the Information Risk Assessment program.
- With the exception of these specialized chat tools, instant messaging/chat should only be used for significant communications in work tasks, decision-making, and the delivery of services if the application includes features allowing you to document chat exchanges in a longer-lasting format to meet the University’s compliance and accountability obligations, if the retention requirements for your messages exceed the retention period set for chat. For example, the “Share to Outlook” feature of MS Teams chat.
- It may be prudent, in some cases, for decision-making bodies or work groups – e.g., committees or project teams – to establish rules limiting or prohibiting the use of chat in the conduct of their work to minimize the risk of chat applications recording information which differs from the content of the group’s official records – e.g., committee meeting minutes or project reports – or is an unwarranted duplication of confidential information, including personal information, which we must protect from unauthorized use and disclosure. Please contact the Privacy Officer or the University Records Manager for assistance with such cases.