11.2.4 Email Policy

1.0 Overview

MGA provides official email accounts to faculty, staff, students, retirees, and authorized affiliates as a primary means of conducting University business. Email is an essential communication tool that supports MGA’s academic, administrative, and operational functions.

This policy establishes standards for the appropriate use of MGA email services and aligns with the University System of Georgia (USG) IT Handbook, Section 5.15: Email Use and Protection. MGA is committed to maintaining a secure, reliable, and compliant email environment that meets legal, regulatory, and institutional requirements.

Detailed technical requirements and procedures are documented in the companion Email Standards and Procedures document.

2.0 Purpose

The purpose of this policy is to establish clear guidelines for the appropriate and responsible use of email services and accounts provided by MGA. These guidelines ensure email supports the University’s objectives while maintaining compliance with federal, state and local law, USG policies and standards and other University  policies.

3.0 Scope

This policy applies to all email systems operated on MGA networks and to every individual issued an official MGA email account, including faculty, staff, students, retirees, and authorized contractors or affiliates.

All email communications and records may be subject to disclosure under the Georgia Open Records Act (O.C.G.A. § 50-18-70 et seq.) and other applicable laws.

4.0 Policy

  1. Authorized Use
MGA email accounts are University property and must be used primarily for official University business. Limited personal use is permitted when incidental to an employee’s job duties and responsibilities, provided such use does not interfere with University operations or violate policy. 
  1. Official Communication

Email is an official means of communication at MGA. The University will send important notices and information to faculty, staff, and students via their MGA email accounts. Users are expected to check their accounts regularly and read communications in a timely manner. 

  1. Prohibited Activities
MGA email accounts must not be used for illegal activities, commercial solicitation, or partisan political purposes. Any use that violates federal, state, or local law, as well as USG or University policy, is strictly prohibited. See also: BOR Policy Manual Section 8.2.18.3 Prohibition on Certain Political Activities.
Auto-forwarding MGA email to personal accounts or to services MGA or USG does not have a formal contract with is prohibited unless approved by the CIO. Approval requires a documented business justification. 
  1. Sensitive Data Transmission
Email is inherently insecure unless appropriate safeguards are applied. Sensitive or confidential information must only be transmitted using approved encryption methods and in compliance with FERPA, HIPAA, and PCI DSS, as well as other applicable federal and state regulations. All users are responsible for understanding these requirements when handling regulated data.
Email is not a system of record. Users must transfer critical data to approved storage systems in accordance with retention guidelines.
  1. Ownership and Privacy

Users should have no expectation of privacy when using MGA email services. Email may be accessed for operational, security, or legal reasons without prior notice, and all email communications are subject to the Georgia Open Records Act (O.C.G.A. § 50-18-70 et seq.).

MGA reserves the right to inspect, copy, store, and disclose email content when necessary to:

  • Prevent or correct misuse
  • Comply with legal obligations
  • Ensure proper system operation
  • For any other reason that has a legitimate documented business purpose as approved by the CIO. 
  1. Approved Platforms

MGA shall implement email services through approved cloud providers. The official platform for MGA is Microsoft 365. Any exceptions must be documented and approved by the CIO or their designee(s).

  1. Account Termination
    Email accounts and all associated data will be permanently deleted in accordance with the Account Retention and Deletion Schedule, which is published and maintained in the MGA Email Standards (link) document.

Users should back up any personal or non-University data before account termination.

5.0 Enforcement

Violations of this Email Policy—including misuse of MGA email accounts, failure to comply with security requirements, or unauthorized activities—may result in actions such as restriction or revocation of email privileges. Depending on the severity of the violation, disciplinary measures may also apply in accordance with University policies and procedures, up to and including termination of employment.

Middle Georgia State University enforces Data Loss Prevention (DLP) controls on email communications to protect confidential information. Certain categories of sensitive data — including, but not limited to, Credit Card Numbers, U.S. Bank Account Numbers, U.S. Driver’s License Numbers, and U.S. Social Security Numbers (SSN) — are subject to automated restrictions. If a user attempts to send such data via email, the system may block the message by default. In cases where transmitting this information is necessary for legitimate business purposes, users must provide a documented business justification and follow the approved override process.

Any waiver of this policy’s requirements must be reviewed and approved by the CIO or their designee(s).

Users should promptly report suspected email policy violations, phishing attempts, or other security concerns to Cybersecurity to help safeguard University resources and maintain compliance.

7.0 Definitions

Authorized Use - Permitted use of MGA email accounts primarily for official University business, with limited personal use allowed when incidental to job duties.

Sensitive Information - Data that requires protection due to legal, regulatory, or privacy obligations. Examples include Social Security numbers, financial account details, and health information.

Encryption - A security process that converts data into a format unreadable without a key, used to protect sensitive information during transmission or storage.

Multi-Factor Authentication (MFA) - A security measure requiring two or more verification factors to access MGA email accounts.

Auto-Forwarding - Automatic redirection of email messages to external accounts. Prohibited unless approved by the CIO.

Operational details, including retention schedules, encryption instructions, and mailbox management, are defined in the Email Standards document.