Never send sensitive information by email.
- Email is like a postcard - an unauthorized party could intercept and access your message.
- The recipient might share it in a way you would not want.
- You don't control what your recipient retains.
- Accessing your email over an insecure network (e.g., in an Internet cafe or on an open wireless network) can expose your user account information.
- Encrypted connections reduce the risk that your authentication credentials will be compromised, but email is plain text when traveling between the sender and the recipient, and can still be easily intercepted.
- Regardless of the provider, email is not a secure method of communication. This applies to current campus email systems as well as most third-party email providers.
- Email can be made significantly more secure via the use of message encryption and digital certificates.
Sensitive information in electronic communications includes any information that is protected by law, policy, or specific contract. Generally it includes:
- Social Security numbers
- Driver's license numbers
- Credit card information
- Medical/health conditions, etc.
This information should not be sent by email, regardless of the email provider. If you would not want information to appear in public, it should be sent encrypted or not at all. Email can easily be read en route, kept forever, or shared with unintended readers.
However, data that is protected by HIPPA, FISMA, export controls, or specific funding contract provisions is NOT approved for use with UTmail. Any questions regarding interpretation can be sent to the Information Security Office (firstname.lastname@example.org).
Open records request
Student and alumni UTmail accounts are not generally subject to open records requests. However, there are scenarios in which they could be subject to disclosure pursuant to an open record request.
Examples include but are not limited to the following scenarios:
- Students who are employed by the university and use their UTmail account for university business could be subject to an open records request regarding that specific university business.
- Alumni who conduct university business with their UTmail account (e.g., a person who is a contractor but also an alumnus) could also be subject to an open records request regarding that specific university business.
- Faculty and staff UTmail accounts generally ARE subject to open records requests, as are faculty and staff Austin Exchange Messaging Service (AEMS) email accounts and faculty and staff email accounts hosted by various colleges and departments. However, many emails in these accounts would not be subject to disclosure because they would fit within any number of exceptions to the open records law. Examples include but are not limited to emails that are protected by the attorney client privilege, or which contain Family Educational Rights and Privacy Act (FERPA) protected information, or other information made confidential by law.
Data storage outside the United States
Google operates datacenters in Europe and Asia as well as the United States. By law, some intellectual property should not be stored outside the United States. Individuals handling sensitive materials should not share this information by email regardless of the email provider. Also, an email intended for a domestic user can be easily forwarded elsewhere.