Search Information Security site

 

Requirements for Use of Personal Accounts or Redirection for University Email

These requirements apply only to employees on Academic-division managed email systems. They do not apply to students or users of the HSTS-managed email system.

For reasons outlined at the end of this agreement, you are strongly advised NOT to redirect or auto-forward email sent to your UVa-provided email address(es) to personal, non-UVa email service(s).

If you wish to use a personal email account for your University work activities, or redirect a University account to a personal email account, you MUST agree to ALL of the following:

  1. You agree to provide access to or copies of all email received or sent concerning University business to the University if requested in accordance with the Freedom of Information Act, internal investigations or audits, subpoena, search warrant or other legal actions.
  2. You agree to turn over to department supervisor/chair all emails sent or received concerning University business when your employment relationship with the University has ended.
  3. You agree to retain all email received or sent concerning University matters in accordance with the University Records (as defined below) retention and disposition schedules on the Records Management Office website.
  4. You agree you will not transmit highly sensitive data (as defined below) via email in accordance with the University Data Protection Standards or student data protected under FERPA (see definition below.)
  5. You agree to comply with all University IT policies.
  6. You agree to take full responsibility for the security, back-up and management of all email sent or received concerning University business or transactions held within the email account.

Definitions

  • Email as a University Record: Email and/or email attachments that document a transaction or activity by or with any appointed board member, officer, or employee of the University. The recorded information is a University Record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of university business. University Records include but are not limited to: personnel records, student records, research records, financial records, patient records and administrative records.
  • Highly Sensitive Data: Includes personal information that can lead to identity theft if exposed and health information that reveals an individual's health condition and/or history of health services use. Details and examples are provided here.
  • An Education Record under FERPA: is any record that is: (1) directly related to a student; and
    (2) maintained by an educational agency or institution, or by a party acting for the agency or institution (for example, faculty or staff of the University). More information is provided here.

Every University of Virginia employee is assigned a unique email address to aid in the performance of University-related activities. Accordingly, all employees are strongly encouraged to use one of the University's secure email systems (i.e., the UVa Centralized Exchange Service and/or the Central Mail Service) for all workplace communications.

Reasons for this Policy Recommendation

Redirecting your UVa email to a personal, non-UVa email account exposes you and UVa to the following hazards:

  • It removes any guarantee of security and privacy for sensitive University business-related information that may be contained within email text or attachments.
  • It leaves no official records in the University system. If a demand for such records is made in litigation or under the Virginia Freedom of Information Act (FOIA), you may be required to search within, or provide access to, your personal email account for University business records to be recovered.
  • It makes it impossible for UVa technical staff to assist with technology issues related to your outside email provider's services, including the recovery of emails lost due to the provider’s service failures.

 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form