Rutgers IT / Policies / Email and Calendaring Systems: Standards and Guidelines

Email and Calendaring Systems: Standards and Guidelines

These standards and guidelines govern the use of official Rutgers email and calendaring systems by faculty, staff, students, retirees, alumni, and guests.

These standards and guidelines are important to ensure: proper delivery of calendar events and email, enhanced security, improved collaboration and communications, business continuity, improved handling of e-discovery and Open Public Records Act (OPRA) requests, compliance with legal requirements for health information and other data, improved privacy, and simplified support.

Official Email and Calendaring Systems:

There are two official and approved email and calendaring systems at Rutgers University:

Rutgers Connect: Rutgers Connect is an implementation of Microsoft Office 365 and is primarily used by faculty and staff. Rutgers Connect is also used by students who handle protected health information (PHI). University guests and student workers can obtain accounts on this system as requested by their departments. Rutgers Connect is the official email and calendaring service for Rutgers faculty and staff and must be used for all Rutgers business.
ScarletApps (including ScarletMail): This is an implementation of Google Suite, previously known as Google Apps for Education. This system is primarily used by students, alumni, retirees, and some University guests, and is the official email and calendaring service for these groups. Faculty and staff may also use the system to collaborate with students.

Specific Standards and Guidelines for Rutgers Connect:

Rutgers Connect can be used for both non-restricted data and restricted data, such as protected health information (PHI). Microsoft has signed a Business Associates Agreement (BAA) with the University and is compliant with the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and other standards (see https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings for details). Specific guidelines for health-related communications include the following:
- The Rutgers Acceptable Use Policy (AUP, policy 70.1.1) places restrictions on emailing or storing HIPAA and other restricted data unless secure procedures are used.
- Rutgers Connect is HIPAA-compliant and can be used to store, process, and transmit HIPAA/PHI data safely in an encrypted manner. HIPAA/PHI data should not be shared with others who are not authorized or trained to handle restricted data.
- Rutgers Connect is not meant as a method to bypass other approved standard practices in handling HIPAA and other restricted data. In general, the use of email is discouraged when working with HIPAA or other restricted data because email can be accidentally sent to an unintended recipient or stored in an individual’s account for an indefinite period. Other standard encrypted services should be used to transmit HIPAA data when possible. For example, doctors can and should communicate to their patients using their standard patient portal.
Automatic forwarding of email messages to email accounts external to Rutgers Connect is not allowed. The @rutgers.edu forwarding service (which is used to handle email that is sent to netid@rutgers.edu or first.last@rutgers.edu, must not be used to automatically forward Rutgers email to email systems external to Rutgers. ScarletMail should also not be used as a means to automatically forward Rutgers email to systems external to Rutgers, bypassing the protections on Rutgers Connect.
All email handled by faculty, staff, and student workers to conduct University business must be created, stored, processed, and transmitted using Rutgers Connect. If a student worker is regularly required to use email to conduct University business, the student’s department must request a Rutgers Connect account for the student worker. Student workers can still use ScarletApps for other Rutgers activities.
Rutgers Biomedical and Health Sciences students and other students who handle HIPAA/PHI data are required to use Rutgers Connect for classes that handle this type of data.
All calendaring related to Rutgers business must be conducted on Rutgers Connect to foster collaboration and ensure the security of restricted data.

Specific Standards and Guidelines for ScarletApps:

ScarletApps is not configured or certified to handle restricted data. Non-restricted data can be used, processed, transmitted, and stored on ScarletApps. The only restricted data allowed as part of communications, involves direct communications between Rutgers departments/employees and Rutgers students sent between Rutgers Connect and ScarletMail as long as the communications is direct with an individual student, and the data is properly classified and handled according to the Information Classification Policy (70.1.2).
Rutgers Biomedical and Health Sciences (RBHS) students and other students who handle HIPAA/PHI data can maintain an account on ScarletApps for non-HIPAA/PHI matters (including non-HIPAA/PHI educational classes, student organizations, clubs, community service and other needs that don’t involve restricted data.
Alumni and retirees may request accounts on ScarletApps. Guests may request accounts through the applicable Rutgers department they are associated with. For more information or assistance with these requests, please contact the OIT help desk.
Faculty and staff may have ScarletApps accounts to access other tools and applications in the Google Suite. For more information or assistance with these requests, please contact the OIT help desk.
Automatic forwarding is enabled for student use on ScarletApps and must not be used by faculty or staff to auto-forward emails to any other email systems except Rutgers Connect.

General Standards and Guidelines for both Rutgers Connect and ScarletApps:

Mass mailers, bulk mailers, and mass email services and systems:
- The Rutgers RAMS and Mailman systems may be used for mass emails based on demographic information or general opt-in/opt-out email lists. Procedures are in place for these systems to ensure proper delivery to email accounts on Rutgers Connect and ScarletMail.
- Rutgers departments using third-party mass email services and systems, such as Constant Contact or MailChimp, must follow the following procedures:
  - Mass emails must be targeted to the smallest specific group, as needed, and the targeted group must be individuals who would reasonably expect to receive messages of the type being sent.
  - Mass emails must allow the receivers of such messages to opt out of non-official communications.
  - Mass emails must direct email messages to Rutgers faculty, staff, and students using their official email addresses on Rutgers Connect and ScarletMail, respectively, or via an official @rutgers.edu address pointing to Rutgers Connect or ScarletMail.
  - Rutgers departments sending mass emails must be careful when sending a high volume of messages to systems external to Rutgers while impersonating Rutgers University, as this increases the chances of Rutgers being classified as sending spam and being “blacklisted” (having Rutgers email blocked by external sites). [Impersonating email is using a forged from: type of email address so that the email seems to be coming from @rutgers.edu instead of the actual sending site.]
  - Third-party mass email services and systems cannot be used to send restricted data unless approved by the Office of Information Technology’s Information Protection and Security division and/or the Office of Enterprise Risk Management, Ethics, and Compliance.
  - Departments using Mass Mailers and the Mass Mailers themselves must work with OIT – EAS – Enterprise Messaging to ensure proper delivery of their messages to the Rutgers email and calendaring systems. Otherwise their email may end up in spam/junk folders or automatically discarded.
Storage Confidentiality and Privacy:
- Both Microsoft and Google have policies and procedures to ensure privacy and protect data:
- All Rutgers IT staff, including system administrators for Rutgers’ email and calendaring systems, must respect the privacy of all users’ email and data, and will only access such data when requested by the user, resolving email security or systems performance problems, or for official e-discovery or OPRA requests.
- All University officials and personnel must respect user data and the privacy of such data.
Users must not send spam, threats, phishing emails, or other attacks. Users should also not attempt to mask their identity or use third-party services to mask their identity or location. Users should also be aware of phishing attacks that can occur and should not respond to such attacks, including never giving up one’s private information (Social Security numbers, bank information, and other private data). See the Rutgers AUP (Acceptable User Policy) for more details.

Related policies that must be complied with include:

Acceptable Use Policy (AUP) (70.1.1)
Information Classification (70.1.2)
Incident Management (70.1.3)
Information Security Awareness, Training, and Education (70.1.4)

Definitions:

Phishing: Phishing is the attempt to obtain sensitive information such as usernames, passwords, Social Security numbers, and credit card/banking details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at fake websites, the look and feel of which are often identical to the legitimate ones. Phishing emails may also contain links to websites that are infected with malware.

Spam: Unsolicited bulk email.

University Guests: Guests are individuals who are not directly affiliated with Rutgers University as staff, faculty, or students. Guests include, but are not limited to, visiting scholars or researchers, visiting staff, visiting faculty, contractors, vendors, volunteers, etc.