USE OF EMAIL IN SOUTHERN WESTCHESTER BOCES Policy 6411

Adopted: November 13, 2024
For more SWBOCES Policies please visit the SWBOCES Public Board Docs Policy Book.  

 Overview 

Email is a valuable tool that allows for quick and efficient communication. However, careless, unacceptable, or illegal use of email may place Southern Westchester BOCES (SWBOCES) and members of its community at risk. Use of email in SWBOCES must be consistent with SWBOCES' organizational goals and comply with federal and state laws and regulations, as well as all applicable SWBOCES policies, regulations, procedures, collective bargaining agreements, and other related documents. This includes, but is not limited to, the SWBOCES Code of Conduct, this policy, and SWBOCES policies on non-discrimination and anti-harassment, protecting the personal information of SWBOCES employees and students, acceptable use, and record management. 

SWBOCES-related emails are most secure and best managed when SWBOCES email services are used. Accordingly, SWBOCES email services should be used for all SWBOCES-related emails, including emails in which students or student issues are involved. Personal email accounts are not be used to conduct SWBOCES-related business. Further, SWBOCES email accounts should not be used as any individual's primary personal email address. 

Scope and Application of Policy 

This policy applies to all SWBOCES employees and any individual assigned an SWBOCES or LHRIC email address to conduct SWBOCES-related business (authorized user). 

Sending Emails or Calendar Invites with Personal, Private, and Sensitive Information (PPSI) 

Employee PPSI and student personally identifiable information (PII) is any information to which unauthorized access, disclosure, modification, destruction, use, or disruption of access or use could have or cause a severe impact on critical SWBOCES functions, employees, students, third parties, or other individuals or entities. For purposes of this policy, employee PPSI and student PII includes, but is not limited to: 

a) SWBOCES assessment data; 

b) Protected student records; 

c) Information subject to laws protecting PII such as the Family Educational Rights and Privacy Act (FERPA), Individuals with Disabilities Act (IDEA), Health Insurance Portability and Accountability Act (HIPAA), and New York State Education Law 2d; 

d) Social security numbers; 

e) Driver's license or non-driver identification card numbers; 

f) Credit or debit card numbers; 

g) Account numbers; 

h) Passwords; 

i) Access codes; 

J) Employee-related data, including but not limited to, evaluations, addresses, dates of birth, and phone numbers. 

k) PPSI related to candidates for employment or potential new hires of SWBOCES 

Failure to follow proper security protocols when emailing PPSI or PII increases the risk that unauthorized individuals could access and misuse PPSI or PII. 

SWBOCES employees and authorized users may not send or forward emails that include: 

a) PPSI or PII without director, building principal or supervisor authorization. Additional precautions, such as encrypting the email or password protecting attachments using an SWBOCES-approved method, should be taken when sending any emails or calendar invites containing PPSI or PII. 

b) Lists or information about SWBOCES employees or students without director, building principal, or supervisor authorization. 

c) Subject lines or attachments with file names that may disclose PPSI or PII. Files containing PPSI or PII should be password protected and/or encrypted. File protection passwords should not be transmitted using the same email as the attached file. A separate encrypted email should be sent with the file protection password. SWBOCES employees and authorized users will not use unauthorized cloud-based storage services (such as Dropbox) to transmit files with PPSI or PII without prior SWBOCES approval or consulting with a director, building principal, or supervisor. 

d) Comments or statements about SWBOCES that may negatively impact it. 

Any questions regarding SWBOCES protocols for sending emails with PPSI or PII or what information may or may not be emailed should be directed to a supervisor or the SWBOCES Data Protection Officer. 

Receiving Suspicious Emails 

Social engineering attacks are prevalent in email. In a social engineering attack, an attacker uses human interaction (social skills) to obtain confidential or sensitive information. 

Phishing attacks are a form of social engineering. Phishing attacks use fake email messages pretending to represent a legitimate person or entity to request information such as names, passwords, and account numbers. They may also deceive an individual into opening a malicious webpage or downloading a file attachment that leads to malware being installed. 

Malware is malicious software that is designed to harm computer systems. Malware may be inadvertently installed after an individual opens an email attachment, downloads content from the Internet, or visits an infected website. 

Before responding to any emails, clicking on any hyperlinks, or opening any attachments, SWBOCES employees and authorized users should review emails for indicators of suspicious activity. These indicators include, but are not limited to: 

a) Attachments that were not expected or make no sense in relation to the email message; 

b) When the recipient hovers the mouse over a hyperlink that is displayed in the email, the link to the address is for a different website; 

c) Hyperlinks with misspellings of known websites; 

d) The sender is not someone with whom the recipient ordinarily communicates; 

e) The sender's email address is from a suspicious domain; 

f) Emails that are unexpected, unusual, or have bad grammar or spelling errors; and 

g) Emails asking the recipient to click on a link or open an attachment to avoid a negative consequence or to gain something of value. 

h) The sender is known to the receiver, but the messaging is not something that would normally be distributed by the sender. 

SWBOCES employees and authorized users should forward suspicious emails using the integrated Phish Notify button in their email client. If no such mechanism is available or has changed, at a minimum, the user should contact the LHRIC Service Desk immediately to report these types of messages. 

No Expectation of Privacy 

SWBOCES employees and authorized users should have no expectation of privacy for any email messages they create, receive, or maintain on their SWBOCES email account. SWBOCES has the right to monitor, review, and audit each SWBOCES employee's and authorized user's SWBOCES email account. 

Accessing SWBOCES Email Services on Personal Devices 

In the event an SWBOCES employee or authorized user loses a personal device that has been used to access the SWBOCES email service, the SWBOCES employee or authorized user should notify the SWBOCES Director of Technology and LHRIC Service Desk so that measures can be taken to secure the email account. 

Personal Use 

SWBOCES email services are intended for SWBOCES-related business only. Incidental or limited personal use of SWBOCES email services is allowed so long as the use does not interfere with job performance. However, SWBOCES employees and authorized users should have no expectation of privacy in this email use. 

SWBOCES email services should not be used to conduct personal banking/financial transactions, job searches, post personal information to bulletin boards, blogs, chat groups, and list services, etc. without authorization from a director, building principal, or supervisor. 

It is prohibited to use the SWBOCES email services for: 

a) Illegal purposes; 

b) Transmitting threatening, obscene, discriminatory, or harassing materials or messages; 

c) Personal gain or profit; 

d) Promoting religious or political causes; and/or 

e) Sending spam, chain letters, or any other type of unauthorized widespread distribution of unsolicited mail. 

f) Sending or soliciting invitations for events that are not supported by or directly organized by SWBOCES. Accessing personal email accounts or services (Yahoo, Gmail, etc.) should be kept to a minimum, may not interfere with the performance of the employee’s duties and responsibilities, and should only occur during non-student contact times and/or during approved break times. Questions or concerns regarding the use of these services on the SWBOCES Computer System (BCS) should be directed to the Director of Technology. 

Confidentiality Notice 

A standard confidentiality notice will automatically be added to each email as determined by SWBOCES. 

Training 

SWBOCES employees and authorized users will receive ongoing training and/or updates related to the use of email in SWBOCES. This training may cover topics such as: 

a) What is expected of users, including the appropriate use of email with students, parents, and other individuals to avoid issues regarding harassment and/or charges of fraternization; 

b) How to identify suspicious emails, as well as what to do after receipt of a suspicious email; 

c) Emailing PPSI and/or PII; 

d) How to reduce risk to SWBOCES; 

e) Cost of policy non-compliance; 

f) Permanence of email, including how email is never truly deleted, as the data can reside in many different places and in many different forms; and 

g) How users should have no expectation of privacy when using the BCS or any SWBOCES email service. 

Notification 

SWBOCES will provide annual notification of this policy and any corresponding regulations to all SWBOCES employees and authorized users. SWBOCES will then require that all employees and authorized users acknowledge that they have read, understood, and will comply with the policy and regulations. 

Records Management and Retention 

The same laws and business records requirements apply to email as to other forms of written communication. 

Email will be maintained and archived in accordance with Retention and Disposition Schedule for New York Local Government Records (LGS-1) and as outlined in any records management policies, regulations, and/or procedures. 

Additionally, emails may be subject to disclosure under the Freedom of Information Law (FOIL), a court action, an audit, or as otherwise required or permitted by law or regulation. 

Disciplinary Measures 

Failure to comply with this policy and any corresponding regulations or procedures may subject an SWBOCES employee or authorized user to discipline such as loss of email use, loss of access to the BCS, and/or other disciplinary action up to and including termination, in accordance with law and applicable collective bargaining agreements. When applicable, law enforcement agencies may be contacted. 

The SWBOCES IT staff may notify an SWBOCES employee or authorized user of inappropriate use of email and/or report such inappropriate use to the SWBOCES employee’s or authorized user’s director, building principal, or supervisor who may take appropriate action, which may include disciplinary measures in accordance with law and applicable collective bargaining agreements. 

NOTE: Refer also to Policies #3320 -- Confidentiality of Computerized Information 

#3420 -- Non-Discrimination and Anti-Harassment in 

SWBOCES 

#5670 -- Records Management 

#6413 -- Staff Acceptable Use Policy 

#8271 -- Internet Safety/Internet Content Filtering