Email Management Policy
1. Background and purpose:
Email is an essential component of business communication; however, it presents many challenges due to its potential to introduce a security threat to the network. Email can also have an effect on the company's liability by providing a written record of communications. Hence having a well thought out policy is essential for Melbourne Racing Club, its subsidiaries and related entities (“MRC”) to ensure they meet legal regulatory retention requirements, protect confidential information, increase workflow efficiencies and reduce company risks.
This Email Management Policy (“Policy”) outlines expectations for appropriate, safe, and effective email use.
2. Scope
The scope of this policy includes MRC's email system in its entirety, including desktop and/or web- based email applications, server-side applications, and email relays (“MRC Email System”). It covers all electronic mail sent from the system, as well as any external email accounts accessed from MRC’s network.
This is a mandatory policy that applies to all employees of MRC, whether permanent, temporary, casual, part-time or on fixed-term contracts employees. This policy also applies to all partners and third parties who have access to MRC email system (collectively, “Users”).
3. Policy
Users of the MRC Email System are required to do so in accordance with this Policy.
3.1. Acceptable Use of MRC’s Email System
Users are asked to exercise common sense when sending or receiving email from MRC email accounts. Additionally, the following applies to the proper use of the company email system.
3.1.1. Sending Emails
Email must be addressed and sent carefully keeping in mind that MRC loses any control of email once it is sent out of the MRC Email System network.
Users must take extreme care when typing in addresses, particularly when email address autocomplete features are enabled; using the "reply all" function, or using distribution lists in order to avoid inadvertent information disclosure to an unintended recipient.
Users must be careful emailing to avoid unintentional disclosure of sensitive or non-public information of MRC.
3.1.2. Personal Use and General Guidelines
Personal usage of MRC Email Systems is permitted subject to the following:
- usage must not negatively impact the corporate computer network;
- usage must not negatively impact the user's job performance;
- MRC Email System is not used for purposes of spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are prohibited;
- the user must not forge email header information or attempt to impersonate another person;
- the User must not send information that is considered confidential or proprietary to MRC via email, regardless of the recipient;
- users must not open email attachments from unknown senders, or when such attachments are unexpected or look suspicious.
3.1.3. Business communication and email
Users must recognise that email MRC’s Email System reflects on the organisation, and, as such, email must be used with professionalism and courtesy.
3.1.4. Email Signature
An email signature (contact information appended to the bottom of each outgoing email) should be automated by MRC’s IT department for all email sent from the MRC Email System. At a minimum the signature should include the user's:
- URL for Corporate Website
- Reference to days worked (if not full time)
Email signatures should not include personal messages (political, humorous, etc.).
3.1.5. Mass Emailing
Mass emails may be used for both sales and non-sales purposes (such as when communicating with the company's employees or customer base), and is allowed as the situation dictates.
The sending of spam, on the other hand, is strictly prohibited.
MRC and Users must comply with applicable laws governing the sending of mass emails. For this reason, as well as in order to be consistent with good business practices, MRC requires that email sent to more than twenty (20) recipients external to MRC have the following characteristics:
- The email must contain a subject line relevant to the content.
- The email must contain contact information, including the full physical address, of the sender.
- The email must contain no intentionally misleading information (including the email header), blind redirects, or deceptive links.
Note that emails sent to MRC employees, existing customers, or persons who have already enquired about the MRC's services are exempt from the above requirements.
3.1.6. Opening Attachments
Users must use care when opening email attachments. Viruses, Trojans, and other malware can be easily delivered as an email attachment.
Users must:
- never open unexpected or suspicious email attachments;
- never open email attachments from unknown sources; and
- never click links within email messages unless they are certain of the link's safety. It is often best to copy and paste the link into your web browser, or retype the URL, as specially formatted emails can hide a malicious URL.
MRC may use methods to block what it considers to be dangerous or emails or strip potentially harmful email attachments as it deems necessary.
3.1.7. Monitoring and Privacy
MRC reserves the right to monitor any and all use of the computer network to ensure compliance with MRC policies. This may include the interception and review of any emails, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media.
3.1.8. Ownership of Email
MRC owns and maintains all legal rights to the MRC Email System and network, and thus any email passing through these systems is owned by MRC. Emails may be backed up, otherwise copied, retained, or used for legal, disciplinary, or other reasons. Additionally, the user should be advised that email sent to or from certain public or governmental entities (for example, Racing Victoria) may be considered public record.
3.1.9. Contents of Received Emails
MRC has little control over the contents of inbound email, and thatan email may contain material that the user finds offensive. If reported to MRC, MRC may attempt to filter and block these emails, however no solution will be 100 percent effective.
The user should not open emails that, in the user's opinion, seem suspicious.
If the user is particularly concerned about an email, or believes that it contains illegal content, they should notify their supervisor or IT.
3.1.10. Access to Emails from Mobile Phones
Many mobile phones or other devices, often called smartphones, provide the capability to send and receive email. MRC permits users to access MRC Email System from a mobile phone.
Refer to relevant policies such as the IT Asset Management, Bring Your Own Device Policies for more information.
3.1.11. Email Regulations
MRC must ensure that emails are adequately retained for at least the minimum periods for retention as per any MRC Records Retention Policy which may be in place from time to time and in accordance with applicable laws.
3.2. External and/or Personal Email Accounts
MRC recognises that users may have personal email accounts in addition to their companyprovided account. The following sections apply to non-company-provided email accounts:
3.2.1. Use for Company Business
Users must use the corporate email system for all business-related email. Users are prohibited from sending or receiving business email from a non-company-provided email account.
3.2.2. Access from MRC Network
Users are permitted to access external or personal email accounts from the corporate network, as long as such access complies with section 3.2.1 and the User uses no more than a trivial amount of the User’s time and MRC resources.
3.2.3. Use for Personal Reasons
Subject to section 3.1.2, Users should use a non-company-provided (personal) email account for any non-business communications. Users must follow applicable MRC policies regarding the access of non-company-provided accounts from MRC network.
3.3. Confidential Data and Email
Users are encouraged to encrypt any email containing highly confidential, sensitive or bulk personal information sent external to MRC using Office 365 Email Encryption (OME). MRC IT should ensure their office 365 account is configured to use email encryption.
Encryption is encouraged, but not required, for emails containing confidential information sent internal to MRC.
When in doubt, encryption should be used.
3.4. Administration of Email
MRC will use its best effort to administer its email system in a manner that allows the user to both be productive while working as well as reduce the risk of an email-related security incident.
3.4.1. Filtering of Email
MRC will filter email at the Internet gateway and/or the mail server, in an attempt to filter out spam, viruses, or other messages that may be deemed
- contrary to this policy; or
- a potential risk to MRC's IT security.
Additionally, many emails and/or anti-malware programs will identify and quarantine emails that it deems suspicious.
3.4.2. Email Disclaimers
The use of an email disclaimer, usually text appended to the end of every outgoing email message, is an important component in MRC's risk reduction efforts.
MRC IT must enforce email disclaimers on every outgoing email, containing the following notices:
- The email is for the intended recipient only
- The email may contain private information
- If the email is received in error, the sender should be notified and any copies of the email destroyed
- Any unauthorised review, use, or disclosure of the contents is prohibited
An example of such a disclaimer is:
NOTE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by replying to this email, and destroy all copies of the original message.
3.4.3. Email Deletion
Users must not delete email in an attempt to hide a violation of this or another MRC policy. Further, email must not be deleted when there is potential of an investigation or litigation where that email may be relevant. Users should seek advice from the Legal Department if Users are unsure regarding deletion of email contents.
3.4.4. Account Termination
When a User leaves MRC, or their email access is officially terminated for another reason, MRC will disable the User's access to the account.
MRC is under no obligation to block the account from receiving email, and may continue to forward inbound email sent to that account to another User, or set up an auto-response to notify the sender that the User is no longer employed by MRC.
3.5. Prohibited Actions
The following actions shall constitute unacceptable use of the MRC Email System. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable. The User must not use the MRC Email system to:
- send anything that is illegal;
- access another User's email account without: o the knowledge or permission of that User - which should only be provided in extreme circumstances; o
- the approval of Executive Director - People & Culture in the case of an investigation or litigation;
- when such access constitutes a function of the employee's normal job responsibilities;
- send any emails that may cause embarrassment, damage to reputation, or other harm to the MRC;
- disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, harassing, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media;
- send emails that cause disruption to the workplace environment or create a hostile workplace.
- This includes sending emails that are intentionally inflammatory, or that include information not conducive to a professional working atmosphere;
- make fraudulent offers for products or services;
- attempt to impersonate another person or forge an email header;
- send spam, solicitations, chain letters, or pyramid schemes;
- knowingly misrepresent MRC's capabilities, business practices, warranties, pricing, or policies; or
- Subject to 3.2.1, conduct non-company-related business.
3.5.1. Data Leakage
Unauthorised emailing of MRC data, confidential or otherwise, to external email accounts for the purpose of saving this data on external systems is prohibited.
The company may employ data loss prevention techniques to protect against leakage of confidential data.
4. Applicability of Other Policies
- MRC Data Breach Response Plan
- Acceptable Data Use Policy
- Information Security Policy
5. Key Legislation, Acts & Standards
- Standards Australia. (2016). Information technology – Security techniques – Information security management systems – Overview and vocabulary (ISO/IEC 2700:2016). Sydney: Author;
- MRC Records Retention Policy
6. Enforcement
Non-compliance with this Policy may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities are suspected, MRC may report such activities to the applicable authorities. If any provision of this policy is found to be unenforceable or voided for any reason, such invalidation will not affect any remaining provisions, which will remain in force.
7. Review
This Policy is recommended to be reviewed in biennially.1
8. Further assistance
For advice and assistance on policy matters please direct your enquiries to MRC’s IT Department via itsupport@mrc.net.au.
9. Glossary of terms/definitions
Term
Definition
Auto Responder
An email function that sends a predetermined response to anyone who sends an email to a certain address. Often used by employees who will not have access to email for an extended period of time, to notify senders of their absence.
Certificate
(Digital Certificate)
A file that confirms the identity of an entity, such as a company or person. Often used in VPN and encryption management to establish trust of the remote entity.
Customer
Any MRC member, customer, staff member, partner, contractor or any other person whose information is in the possession of MRC.
Customer Information
All information held by MRC in respect of any Customer and includes information such as a person’s name, signature, home address, email address, telephone number, date of birth, medical records, bank account details and employment details, where this data is held physically or logically, in the form of paper, photographic or electronic storage.
Data Leakage
Also called Data Loss, data leakage refers to data or intellectual Property that is pilfered in small amounts or otherwise removed from the network or computer systems. Data leakage is sometimes malicious
Email
A message, including any attachments, sent in an electronic format from one user to one or more other users via a computer network, using an email protocol.
Encryption
The process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored.
Mobile Device
A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.
Password
A sequence of characters that is used to authenticate a user to a file, computer, network, or another device. Also known as a passphrase or passcode.
Spam
Unsolicited bulk email. Spam often includes advertisements, but can include malware, links to infected websites, or other malicious or objectionable content.
Smartphone
A mobile telephone that offers additional applications, such as PDA functions and email.
Two Factor
Authentication
A means of authenticating a user that utilises two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a
User
Any permanent, temporary, casual, part-time or on fixed-term contracts employees including all partners or third parties who have access to MRC email system.
1
Review date is recommended only. Should this Policy have not been reviewed or updated by its review date, this Policy shall still remain in force and does not expire.