Iowa State University

ITInformation Technology

Exchange Email Best Practices

Who controls access to the information in my emails?

All users must understand that data traversing or stored in University systems are subject to disclosure requests under public records law, under subpoena and in the discovery process in litigation. In order to comply with the law, university officials may have direct access to stored information as provided below.

This process is outlined in the Acceptable Use of Information Technology Resources policy.

What is the proper way to delete messages?

When you "delete" a message it goes into your Deleted Items folder and will remain there for 30 days. To remove the message from your mail account you need to empty your Deleted Items Folder or configure your mail client to empty this folder on exit.

What if I don't empty the Deleted Items Folder?

Any messages that remain in your Deleted Items folder for more than 30 days will be automatically removed.

Once I've deleted a message, is it really gone?

Deleted messages are recoverable only for 30 days after they are removed from the mail account. This is true regardless of whether you have deleted the item yourself, or it was done automatically.

If I forward my email off campus is it still subject to open records requests?

Public records law applies to all records "belonging to" the University. As applied to employees, the statute requires us to treat communications received or written on behalf of the University as "belonging to" the University, even if it is off site or in another account. Just as a piece of University equipment does not belong to someone else when it is carried off the campus, the e-mail still is a University record when it is forwarded to some other account.

If I use a personal account to discuss ISU business is this open to public record requests?

Yes, if the communication is written or received on behalf of the University. No, if the communication is about the university's business, but not for University purposes. This does not mean everything the employee writes about the university is subject to the public records law. For example, a communication by an employee to his/her doctor that work is stressful is written for purely personal reasons, since it is not written on behalf of the University.

How can I separate personal emails from work messages?

The best way is to maintain separate accounts for work and personal messages. Most Internet Service Providers (ISP) will give you one or more email accounts when you sign up for internet access from your home. If not, vendors like Google, Microsoft, and Yahoo can provide you with free accounts. You should tell family and friends to contact you via those third-party accounts and reserve your Iowa State address strictly for university business.

What do I have to keep, and what can I delete?

Iowa State has a Records Retention Policy and comprehensive schedule regarding record retention that includes email and associated documents. Records of business or historical value must be preserved, though they don't have to stay in e-mail. For example, correspondence notifying someone of a decision should be preserved. Many email messages may be considered "transitory" and need not be kept. However, if they are retained they are subject to open records laws. No e-mail messages should be deleted if they are relevant to a subpoena, litigation discovery request, public records request or if a litigation hold has been issued by the Office of University Counsel. You should consult the schedule for definitions and guidance. For more information, see the University Records Retention Schedule.

How do I deal with spam and other unwanted messages?

The best thing to do is ignore them and delete them immediately. If you find that you get a large number of messages from a single sender or with similar subject headings, you can setup a rule that automatically deletes them. You do need to be careful, however, that the rule doesn't accidentally delete messages that you would want to see. For information on configuring spam rules at ISU see how to Manage Spam (Exchange).

Who do I contact about suspicious email messages?

Remember that IT Services and Iowa State will NEVER ask for your password or personal information. If you get a message that does, it is probably part of a "phishing" scheme designed to trick you into revealing your password. You should forward any suspicious messages to

abuse (at) iastate (dot) edu
. The IT Services security team will investigate the issue and contact you if they need more information.

Is it safe for me to use email on a mobile device?

While email is moved between your mobile device and the Iowa State Exchange email system in a secure way, the privacy of your email depends on your mobile device and the applications and software you've installed, as well as any controls put in place to secure it.