Stewardship and Custodianship of Electronic Mail:
Policy Background

In January of 2003, the University Policy Office promulgated University 4.12 Data Stewardship and Custodianship. It was a grand accomplishment after almost ten years of effort to have a university level policy addressing the needs of institutional data. Electronic mail represented a significant lacuna of the policy, however, for in an effort to create a policy that categorized administrative data into seven functional areas the complications that electronic mail raised caused it to be left out of the scope of the policy. The Office of Information Technologies, and the Vice President of Information Technologies in particular as chief custodian of Electronic Mail, brought forth this policy as the responsible office under the rubric of University Policy. After extensive consideration throughout stakeholders within the university, and with the focused attention of the Office of University Counsel and Office of Human Resources and the University Policy Office Process, on February 12, 2005 the University Policy Office promulgated University Policy 5.5, Stewardship and Custodianship of Electronic Mail. Please familiarize yourself with this policy, which can be found at: http://www.policy.cornell.edu/vol5_5.cfm.

This new policy sets the rules for disclosing to third parties the contents of electronic mail transmitted and stored on the university's network. Circumstances allowing such disclosure are

1. to respond to compulsory legal papers,
2. where there is reasonable suspicion of a violation of law or policy,
3. for a legitimate business purpose, and
4. in the event of a health or safety emergency.

E-mail presents a complicated legal montage. Employment law states very plainly that employees are not entitled to privacy in their electronic communications for and on the company infrastructure. Yet federal privacy laws are one of the main reasons for the establishment of this policy. The university must establish both security and privacy minimum standards of handling of this kind of data -- medical, banking and most important educational records -- in order to be in compliance with federal laws. Students, of course, are a key constituency and not only must the university maintain the privacy of their educational records, but so, too, does the university appreciate the expectation of privacy they have in residence hall environment where the Cornell network transmits electronic mail from their campus "home."

This policy and its procedures attempt to balance those competing laws, regulations and expectations. Thus, it is not that simple to say to all possible users of the network --

• students (who use the network as residence as well as for communication of education, medical and banking records, if they receive financial aid),
• staff (who have benefits information transmitted over the network with medical information included in it) or
• faculty (who, in addition to having the issues that staff have but nonetheless also expect some degree of confidentiality over and above the legal floor, especially for their research, which raises some copyright issues)

-- you have no privacy in that data. Cornell University owns and operates the infrastructure, which is why this issue is raised to the level of university policy, but Cornell does not own, or have unequivocal property rights, in all the data transmitted or stored on the infrastructure.

A full discussion of all of the circumstances of disclosure and their respective approvals and procedures can be found by reading the entire policy. Units may determine specific procedures to assist them in better and appropriate compliance with this policy while maintaining attention to the particular structure and function of their organization.

Please direct questions about this policy to the OIT through Director of IT Policy Tracy Mitrano at tbm3@cornell.edu or 254-3584.

(The information on this page is based on remarks made by Tracy Mitrano at the March 3, 2005 UCPL session.)