Records and Information Management Service (RIMS)

Rights and responsibilities

Individuals have a right of privacy in their personal lives, and a right to know their employer's position with regard to the monitoring of communications.  Please see the University's monitoring policy for further details.

As an employer, the University has the right and responsibility to ensure the quality and legality of its activities and the security of its systems. 

In common with the principles for managing any University information, those using email systems should only keep emails if the message:

• Proves you have taken a particular action.
• Proves some action has been taken by another individual.
• Provides the best way of keeping the information (e.g. if you want to keep a reference to a person’s contact details, save the information to your contact list rather than retaining an exchange of email messages).

Remember that all your emails may be open to scrutiny so create communications only for what is needed to progress an issue, and retain what is needed for proof that an action was taken.

To maintain a sufficient record of exchanges about a major issue or project you should:

• Decide what the salient records to retain are, and be rigorous about weeding out draft documents and discursive exchanges from the final selection
• Decide who will be the recognised records keeper for a particular issue – even if the emails are kept on a shared drive, one person should have responsibility for providing access to them on receipt of a request

Create and manage email messages with care

Emails are a form of official communication and should be written with the same care as letters.

Always use your University email address for University business. Please see the IT Code of Conduct for further details. 

• Check the content for clarity, and to make sure that they contain nothing which will embarrass the University, make it liable to litigation, or defame an individual.
• Use meaningful subject lines, so that they reflect the content of the message accurately.
• Keep emails as brief as possible.
• In the interests of information security you must heed the IT Services 
• Where possible only address one topic per email.
• Be mindful when drafting emails that they may be disclosed to individuals other than the originally intended recipient:
  • Emails may have to be disclosed when requested, as evidence in cases of discrimination, harassment, or defamation.
  • Information about a living individual is disclosable to them under Data Protection legislation.
  • General information exchanged by email may be disclosable to the public, through the Freedom of Information (Scotland) Act 2002.
• When replying to an email, only keep the relevant parts of the original text as part of your response, so that the context of your message is clear. Avoid adding to and circulating long and potentially irrelevant threads. As emails are potentially disclosable you need to make it clear in the reply that you had edited the original text. 
• Set up separate folders for your personal emails and weed regularly.
• Establish a structured file directory (by subject / activity / project).
• Use folders to store messages for reference and delete any messages you no longer need.
• Remember to delete your sent messages folder regularly.
• Users of MS Exchange and Outlook can delete messages without the option of recovery by selecting “Shift"+"Delete”. If you only use the “Delete” key, remember to also empty the Deleted Items/ Trash Bin regularly. 

Sharing of information via email

• Do not allow backlogs of unwanted emails to accumulate in your Inbox or Deleted Items folder, as this impedes your ability to locate the information you need (and reduces the speed of the server for everyone else).
• Before you send messages to individuals, understand how to use carbon copy (cc) and blind carbon copy (bcc) functions.

Adding an email address in the CC or "carbon copy" field means that a copy of the email you are sending will also be sent to that address. Adding an email address in the BCC or "blind carbon copy" field means that a copy of the email you are sending will also be sent to that address, but no one else receiving the email will be able to see the address in the BCC field.

• Do not copy emails to people unless they need to see them, especially if the content is confidential. Make it clear to the recipient they should not pass on the message without first contacting to you (or the original sender).
• Use shared locations to give access to joint documents rather than sending them as attachments.
• Be consistent about the use of sensitivity flags or security marking. Use “confidential” or “high priority” when it reflects the nature of the content rather than as a matter of routine.  Be aware that use of these flags may draw attention to the message, and does not necessarily ensure confidentiality.
• Don’t create long lists of names in the “to” field --  if you regularly send messages to a group of people, IT Services can create a distribution list for you. Contact the UofG Helpdesk.
• Whatever your email system, don’t rely on the “Recall Message” function – this function is dependent on the way that the recipient’s server is configured, so there is no guarantee that it will work. 

If a message has been sent inadvertently and needs to be recalled, contact the UofG Helpdesk immediately.

Security of email systems

• Always ensure your computer is locked or logged out when you leave your desk, as someone else could send messages in your name.
• Never reply to unsolicited spam email, even when given an option to remove your name from their mailing list as this just a trick to confirm to that your email address is valid.
• If you subscribed to a list, then it’s safe to use the instructions given by the host.
• Keep you passwords or log-on code secure do not share them and ensure that they are not visible to other users.
• Remember that email is not a secure form of communication. Emails may be sent to the wrong person inadvertently, or your communications may be intercepted.  It is the electronic equivalent of sending a postcard!
• If your role requires you to deal with large volumes of email correspondence, set an “autoreply” message giving alternative contact details when you are unavailable.

Handling email attachments

• Avoid clicking on links or attachments in unsolicited emails, as this is a common way to spread computer viruses.
• Attachments containing sensitive information should be password protected or shared via alternative means (e.g., OneDrive folder)

Emails and information requests

Many FOI (Freedom of Information) requests and Subject Access Requests ask for information potentially held in email accounts. In the event of these requests, work email accounts – including the inbox, sent, and deleted folders – must be searched for relevant information. Any resulting emails are forwarded to the DP & FOI Office for consideration in the final response to the applicant.

It is important for staff to note that work accounts are not the only email accounts that may be subject to search under a FOI or Subject Access request.  

Section 3(2)(b) of the Freedom of Information (Scotland) Act states that “for the purposes of this Act…information is held by an authority if it is held by a person other than the authority, on behalf of the authority”. This means that FOI may apply to information held in a private email account, if that information relates to University business.

• If you are conducting University business via your personal email account, those emails should be disclosed in the event of a FOI or Subject Access Request. 

If you know that you hold emails in your private account that are relevant to the request, it is your responsibility to provide them along with any other information relevant to the request.