Managing electronic information (including e-mail)
Retention and disposal
Faculty and staff, including those who are designated as regular, term, visiting, and temporary, as well as student employees are responsible for retaining information that is of value to the University, whether that is for business processes for legal purposes, or historical value. The University’s Record Retention Policy offers recommended retention periods for common University records whether on paper or electronic. Employees with questions should refer to the list of those with authority over specific sets of University information (www.princeton.edu/dataauthority) and/or to the University Records Manager.
Members of the University community, and especially employees, should understand that electronic information is governed by the same laws and regulations as paper documents historically have been, including statutes protecting the privacy of student records, medical information, and other kinds of personal information. Employees and students are expected to apply to electronic information the same security and record retention practices applied to paper documents.
There are three ways of preserving e-mail: on the e-mail system, within an office’s paper files, or in some form of electronic record-keeping system, for example, OnBase. As a general rule, the longer the message must be maintained or the more it needs to be shared, the greater the need to remove it from the e-mail system and store it as a hard copy (including the metadata accompanying the message, for example file properties or full e-mail headers) or in an electronic storage system. Attachments must also be identified and linked to the original message so that they may be easily located. In all cases, the authenticity and integrity of the entire e-mail message should be preserved.
E-mail retained in electronic format must be migrated by the account-holder to new software and storage media as upgrades occur.
Like all records, many e-mail messages eventually will cease to be useful to or needed by the department, and at that point should be deleted by the account-holder. Then the account-holder is responsible for assuring that the “Trash” or “Deleted Items” folder is emptied (either manually or on an automated schedule) to properly dispose of the e-mail records.
When a University employee trades in or replaces a computer or other networked device, it is required that the employee or the employee's computing support specialist use appropriate, effective software to remove any and all data from the hard drive, or if warranted, destroy the hard drive by means approved by the University. As with the disposition of any other University records, e-mail disposal should be regularized and documented. With respect to back-up media, it is recommended that these storage devices be physically destroyed through approved University channels when no longer needed. However, it is imperative that copies of critical work and work product be maintained until no longer needed.
All members of the University community with ready access to e-mail are responsible for knowing the content of official correspondence sent to their University-provided e-mail address. Students who submit academic work via e-mail should retain copies of the work until certain that the instructor has received a legible copy. Acknowledgement by the instructor of receipt of a legible copy would be courteous and is encouraged.
Faculty, staff and students who have personal e-mail accounts with services outside the University shoul use only their University-provided e-mail accounts for communications regarding University matters. Using University e-mail protects the privacy and security of University data; allows for verification of sending and receipt of critical correspondence regarding academic and other matters; and facilitates responses to subpoenas and other situations that may require the retrieval, inspection, or production of documents including e-mail.
Princeton account-holders who have their e-mail copied or forwarded to an outside account must take care to avoid marking for their outside e-mail provider any such copied or forwarded mail as spam. Major Internet service providers have barred all e-mail coming from the Princeton domain when the provider's customers have marked as spam what the provider perceives to be too many messages. Such incidents can interfere with the business of the University as well as impede communication for other members of the University community.
If you are responsible for data that are important to the University and that are created or stored on portable devices, you also are responsible for ensuring that the information is backed up regularly in a form that permits ready retrieval.
If you are a student and have custody of data important for completion of your University academics, you are responsible for assuring that adequate and appropriate back-up of the information is maintained.
Some kinds of information are considered restricted and/or confidential. Some information is defined confidential by law, for example by FERPA or HIPPA. Some contractual agreements require protection of related information. Some research data, including data involving human subjects, must be kept confidential. In general, information should be protected as consistent with the University’s Information Security Policy (www.princeton.edu/informationsecurity).
As an employee or student, whether you have authorized or inadvertent access to what the University defines as restricted or confidential data, you must comply with the University's Information Security Policy and know which University office has authority over the information.
You also must confine your access to or viewing of such data to situations in which only your University responsibilities require such access or viewing.
Any handling of confidential data, whether in hard-copy form, on University-owned equipment, or via personally-owned home devices, should be done in the most secure, confidential manner, consistent with the Information Security Policy.
In the event of unauthorized access to University data, whether through theft or loss of portable devices such as USB drives, laptops, smart phones or other devices, or any other kind of breach of security, the individual who possessed the device or learns of the breach is responsible for notifying the appropriate University offices of a potential data breach, and assisting with the University's data breach response (www.princeton.edu/databreach).
If the individual suspects the breach involves illegal action by a member of the University community, the University's policy on reporting potentially illegal activity (www.princeton.edu/reportingillegalactivity) should be followed.
OIT's Help line (609-258-HELP by telephone, or firstname.lastname@example.org via e-mail) is the best place to start when reporting potential data breach. If a related device is lost or stolen, a report should be filed as soon as possible with appropriate law enforcement. If the incident occurred off-campus, even outside the U.S., a copy of the relevant police report also should be obtained and provided to the Department of Public Safety.
Restricted or confidential data ordinarily should not be stored on mobile devices that are easy to carry away. If it is absolutely necessary to do so, the information must be encrypted to protect it from view should the device fall into unauthorized hands. The portable device and, ideally the files as well, must be password protected. It also is essential to provide adequate physical security for any device, including a desktop machine that contains confidential data.
Please note that if personal information from children under the age of 13 is collected for commercial purposes, such activities may be subject to the Children’s Online Privacy Protection Act.
The University-endorsed encryption product or protocol should be used whenever possible. If the University has not yet endorsed a particular product or protocol for the platform you use, you should be prepared to use one when it is announced as endorsed. Information regarding encryption on University devices is published at www.princeton.edu/encryption.
Those who travel on University business or for study abroad should know that some encryption software may not be taken out of the United States. For that reason, and to avoid transporting restricted or confidential data unnecessarily, it may be prudent to travel with a computer or mobile device specially configured for travel rather than with the laptop or mobile device used locally at Princeton. (For more information, see www.princeton.edu/itsecurity/intltravel.)
The advent of storage services in “the cloud” provides a useful alternative for those who use portable network devices or have computers stationary in several locations. The University has arrangements with certain providers for some secure cloud-based services. For example, faculty, staff, and graduate students may have Princeton-branded Google Drive accounts. (Undergraduate students have access to Princeton-branded Google Apps.) However, the security of cloud services not endorsed by the University still must stand the test of time. Until the University can endorse your doing so, storing confidential or private University information in other “cloud” service poses serious risks, and should be avoided.
Peer-to-peer file-sharing software may not be installed or used on DeSC computers (the set of machines designated explicitly for administrative applications) because such applications could expose to Internet access information that is private, confidential, or University-private. Other policies affecting DeSC computers may be seen at www.princeton.edu/descpolicy and at www.princeton.edu/descsecurity.