Email and good data governance practices

Key points

  1. Always use your ANU email account for University business. ANU email accounts should not be forwarded to personal accounts.
  2. Be mindful of privacy when using email, and ensure you are sending the correct information to the intended recipients. Sending unintended personal information and/or including incorrect recipients may be a data breach.
  3. Emails may be official records, which must be captured in the University record management system, ERMS. Emails that provide evidence of a business activity, process or decision are an official record.
  4. Report suspected data breaches to the ANU Privacy Officer on privacy@anu.edu.au.

Proper use of ANU email

All staff must comply with the relevant policies and procedures when conducting University business, including the Acceptable use of information technology policy and the Email and auxiliary accounts procedure.

Can I redirect my ANU email?

Staff should not redirect their ANU email account to a personal email account. The Email and auxiliary accounts procedure states that "staff and students must use their ANU email account for official University communications". University emails may contain information that is confidential or sensitive, and therefore must not be sent outside of the ANU IT network, unless it is necessary and approved for University business (e.g. communicating with fellow researchers).

Why can't I use my Gmail or Hotmail account?

The ANU email system is compliant with the University's cybersecurity and privacy obligations. Third party systems such as Gmail and Hotmail are not compliant with these requirements and does not allow for appropriate data governance. Using a personal account for University business poses an unacceptable risk. If necessary, non-ANU email accounts may be copied on an email, noting that ITS will not be able to assist with issues relating to emails sent to these accounts.

Privacy

Email is a great tool for communicating with students, colleagues and other organisations, but it is important to ensure that privacy risks are managed. The best way to do this is to ensure that emails only contain information that is necessary and relevant to the email, and that it is only sent to staff who require the information to perform their duties.

One of the most common privacy issues at the University is accidently sending emails to incorrect recipients/lists. It is important to always take a moment to check that the correct recipient(s) has been selected from the address book or the auto-complete list.

Please also ensure that the appropriate field has been selected, and consider the use of the BCC field when sending to large groups, or multiple students, to ensure email addresses are not disclosed inappropriately.

What personal information can I send via email?

It is appropriate to send personal information via email, provided the disclosure is permitted by the ANU Privacy Policy. For example, you may send an email with student personal information if it is to manage their program administration or access to University facilities or services. You must only include the information that is necessary to the purpose of the email and it must only be sent to staff who require the information for their duties.

I have sent an email to the incorrect recipients - what should I do?

If you have sent an email to the incorrect person and the email contains personal information, you should immediately ask the unintended recipient(s) to delete any copies of the email.

Please report the incident to the Senior Privacy Officer on privacy@anu.edu.au, who will provide additional advice and guidance, appropriate for the circumstances.

I have received an email in error, I was not the intended recipient - what should I do?

Do not read the email, if possible, or stop reading as soon as you realise you have received the email in error. Reply to the sender only, to advise them you have received the email in error and you will fully delete the email. Immediately delete any copies of the email from your account.

Can I use student email mailing lists?

The University utilises student mailing lists for communicating with specific student cohorts about their enrolment, academic progress, University services, fees etc. Using personal information for these purposes is permitted under the ANU Privacy Policy. Colleges and Divisions may want to contact students for other reasons, e.g. on-campus events or jobs. To communicate with students about these opportunities, mailing lists may be created and managed on an opt in/sign-up basis.

The key principles for managing student mailing lists are:

  • for content essential for program administration, no additional consent is required, as the use is consistent with the purpose for which the information was collected
  • for content not related to program administration, students should opt in by signing up through a process, and
  • where the mailing list does not relate to a student's program administration, they must have the option to opt out of the mailing list at any time (e.g. an unsubscribe link).

Can I use non-student email mailing lists?

Other University mailing lists, including for staff and visitors must only be used for the purpose for which they were created. Where individuals have signed up to a mailing list, they must be given the opportunity to opt-out of future communications at any time (e.g. an unsubscribe link).

Recordkeeping

Remember, even emails may be records, which must be managed in accordance with the Records and archives management policy. Under the policy, staff have a responsibility to:

  • document work activities and decisions¬† and
  • incorporate records created and received into the University's recordkeeping systems.

Is the email a record?

An email is a record when it is part of University work and provides evidence of a business activity, process or decision undertaken by a staff member on behalf of the University.

Where should I file the email(s)?

If the email(s) is an official record, it should be captured in a recordkeeping system, such as the Electronic Records Management System (ERMS). Email and ERMS are integrated so you can easily file with 'drag and drop'.

Contacts

If you would like further information or advice, please do not hesitate to contact the relevant team: