Email and good data governance practices
- Always use your ANU email account for University business. ANU email accounts should not be forwarded to personal accounts.
- Be mindful of privacy when using email, and ensure you are sending the correct information to the intended recipients. Sending unintended personal information and/or including incorrect recipients may be a data breach.
- Emails may be official records, which must be captured in the University record management system, ERMS. Emails that provide evidence of a business activity, process or decision are an official record.
- Report suspected data breaches to the ANU Privacy Officer on firstname.lastname@example.org.
All staff must comply with the relevant policies and procedures when conducting University business, including the Acceptable use of information technology policy and the Email and auxiliary accounts procedure.
Can I redirect my ANU email?
Staff should not redirect their ANU email account to a personal email account. The Email and auxiliary accounts procedure states that "staff and students must use their ANU email account for official University communications". University emails may contain information that is confidential or sensitive, and therefore must not be sent outside of the ANU IT network, unless it is necessary and approved for University business (e.g. communicating with fellow researchers).
Why can't I use my Gmail or Hotmail account?
The ANU email system is compliant with the University's cybersecurity and privacy obligations. Third party systems such as Gmail and Hotmail are not compliant with these requirements and does not allow for appropriate data governance. Using a personal account for University business poses an unacceptable risk. If necessary, non-ANU email accounts may be copied on an email, noting that ITS will not be able to assist with issues relating to emails sent to these accounts.
Email is a great tool for communicating with students, colleagues and other organisations, but it is important to ensure that privacy risks are managed. The best way to do this is to ensure that emails only contain information that is necessary and relevant to the email, and that it is only sent to staff who require the information to perform their duties.
One of the most common privacy issues at the University is accidently sending emails to incorrect recipients/lists. It is important to always take a moment to check that the correct recipient(s) has been selected from the address book or the auto-complete list.
Please also ensure that the appropriate field has been selected, and consider the use of the BCC field when sending to large groups, or multiple students, to ensure email addresses are not disclosed inappropriately.
What personal information can I send via email?
I have sent an email to the incorrect recipients - what should I do?
If you have sent an email to the incorrect person and the email contains personal information, you should immediately ask the unintended recipient(s) to delete any copies of the email.
Please report the incident to the Senior Privacy Officer on email@example.com, who will provide additional advice and guidance, appropriate for the circumstances.
I have received an email in error, I was not the intended recipient - what should I do?
Do not read the email, if possible, or stop reading as soon as you realise you have received the email in error. Reply to the sender only, to advise them you have received the email in error and you will fully delete the email. Immediately delete any copies of the email from your account.
Can I use student email mailing lists?
The key principles for managing student mailing lists are:
- for content essential for program administration, no additional consent is required, as the use is consistent with the purpose for which the information was collected
- for content not related to program administration, students should opt in by signing up through a process, and
- where the mailing list does not relate to a student's program administration, they must have the option to opt out of the mailing list at any time (e.g. an unsubscribe link).
Can I use non-student email mailing lists?
Other University mailing lists, including for staff and visitors must only be used for the purpose for which they were created. Where individuals have signed up to a mailing list, they must be given the opportunity to opt-out of future communications at any time (e.g. an unsubscribe link).
Remember, even emails may be records, which must be managed in accordance with the Records and archives management policy. Under the policy, staff have a responsibility to:
- document work activities and decisions and
- incorporate records created and received into the University's recordkeeping systems.
Is the email a record?
An email is a record when it is part of University work and provides evidence of a business activity, process or decision undertaken by a staff member on behalf of the University.
Where should I file the email(s)?
If the email(s) is an official record, it should be captured in a recordkeeping system, such as the Electronic Records Management System (ERMS). Email and ERMS are integrated so you can easily file with 'drag and drop'.
If you would like further information or advice, please do not hesitate to contact the relevant team: