Legislation requires employees to avoid/or makes it an offence to:
Send personal data externally by email which is not encrypted
Include inappropriate comments in emails
Grant another person access to their mailbox without permission
Download/send viruses/malicious software from/by emaiI
Inappropriately use computer resources
Send unauthorised, unsolicited marketing material, and ‘junk’ mail of any kind
Not manage email records properly to facilitate the retrieval of information
Use personal email accounts for University business
Send unauthorised copies of copyrighted works by email
Send offensive, abusive, threatening or discriminatory email messages
The legislation which applies to email use is listed below along with a brief outline of the main relevant notes which include best practice guidelines where necessary:
This Act makes it an offence to:
· Maliciously corrupt or erase data or programs e.g. download from a received email or send an email containing viruses or malicious software, thereby denying access to authorised users or giving unauthorised access;
· Make unauthorised use of computer facilities or unreasonably waste computer resources and time.
This legislation protects the rights and privacy of individuals’ personal data e.g. contained in text, images, audio recordings, etc. Email users must be aware of the risks associated with sending personal data externally by email and ensure these are carefully considered in order to avoid a data breach e.g. must consider if encryption or password protection the information is required. Guidance can be found in the University’s DP Code of Practice, encryption advice and email guidance and Information Security Classification Scheme
· Individuals are entitled to request a copy of any information held about them e.g. their personal data - this includes information in email format. It is an offence to alter or destroy that information once the data subject has submitted a Subject Access Request. Care should be taken not to include inappropriate comments in emails which may be disclosed in response to an access request.
· Under this, and related, legislation University policy is that members of staff should not grant another individual access to their email account unless exceptional circumstances apply and it is authorised by a senior manager.
These regulations protect individuals’ privacy, with particular regard to regulating electronic direct marketing activities.
· Consent by affirmative action must be collected from individuals before they can be sent any communications designed to influence or change recipients’ behaviour. Consent must be as easy to withdraw as to give and records of consent must be maintained. Opt-out tick boxes are not allowed.
· Any approved email marketing activities must adhere to the University PECR guidance.
· Sending unauthorised, unsolicited marketing material, chain letters and ‘junk’ mail of any kind from University email accounts is prohibited.
This Act gives individuals the right to request information held by public authorities, including information contained in emails.
· Email records must be retained in shared network areas, which comply with University guidance, having the appropriate level of security required for the type of information and being accessible to appropriate colleagues, to ensure that the information is available for FOISA responses and any other business reasons.
· Under section 61 of the FOISA the University is obliged to observe the Scottish Ministers’ Code of Practice on Records Management, which includes the management of emails which constitute University records. The University’s Records Management Policy and email guidance refers.
· Protected and/or Confidential information must be handled in accordance with the recommended Security Controls detailed in the University Information Security Classification Scheme. Information in these categories must not be transmitted/shared for unauthorised purposes.
· University business should not be conducted by employees through non-University email accounts – any such communications are subject to FOISA.
This Act regulates the surveillance and investigation of communications by institutions and makes it an offence for any person to intentionally and unlawfully intercept communications.
· The University conducts authorised monitoring as detailed in the University Monitoring and Logging Policy(Electronic Information Security Policy) and the University’s Personal Data Processing Statements.
Intellectual property legislation makes it an offence to use or copy all or a substantial part of any work/s, registered or unregistered, which are protected under the legislation, without permission or acknowledgement, including sending or forwarding the work/s by email.
· Confidential information such as business plans and trade secrets are covered by the Act. The University has a comprehensive copyright guidance resource available online.
· Other legislation dealing with intellectual property rights includes:
It is an offence to send a message or other content that is grossly offensive or of an indecent, obscene or menacing nature or where the sender’s address is masked or ‘anonymous’. It is also an offence to send a message that is intended to cause annoyance, inconvenience or needless anxiety to another that the sender knows to be false. An offence is committed as soon as the message has been sent: there is no need to prove any intent or purpose.
Other legislation which deals with written communications which are threatening, abusive, defamatory, discriminatory, inflammatory or insulting and cause alarm, distress or any form of harassment are:
Please note that this list is not exhaustive.