The objectives of AU's policy regarding the use of email and calendar system are:
All employees and students are automatically provided with a mailbox and can send and receive emails and access a calendar system. Visiting staff and part-time employees (part-time lecturers, teaching assistants, student assistants, etc.) are not automatically assigned an email account, but they can get one at the request of their immediate manager.
You can read more about guidelines for students’ use of AU mailboxes here.
Use of email is primarily reserved for activities that are directly work/study-related. However, AU email accounts may be used for private purposes. Private emails should be clearly marked to distinguish them from work/study-related emails. This can be done by writing ‘Private’ in the subject line or by moving the email to a folder labelled ‘Private’. You should always create a folder for private email correspondence.
Special rules for those who are both students and members of staff at AU
Student assistants/hourly paid members of staff should use shared mailboxes and AU’s case and document management system whenever possible when performing tasks related to case processing. Student assistants should avoid using their AU mailbox for work purposes whenever possible so that they do not receive study-related and work-related emails in the same mailbox – emails that should be kept separate.
If student assistants do receive work-related emails in their AU mailbox, they must organise their mailbox into separate folders so that it’s clear which folder contains study-related emails and which contains work-related emails. Work-related emails of a practical or social nature – such as newsletters or messages about department lunches – do not need to be placed in the work-related email folder.
AU owns the content of staff mailboxes – in the same way as it owns other data. However, this does not apply to private correspondence, which should therefore be marked ‘Private’, as described in section 2.
As a general rule, the content of students’ mailboxes is regarded as private, and AU is therefore not entitled to open a student’s mailbox unless there is an agreement to this effect or it is necessary for technical, security or legal reasons.
Access to staff mailboxes
AU IT can access all AU mailboxes. This may be necessary in the event of technical breakdowns or in case of an urgent need to access an email sent to an absent employee.
If AU IT needs to access a mailbox, AU IT will make every effort to agree this with the employee concerned. If this is not possible, an agreement must be made with the employee’s (immediate) manager. The employee concerned must then be informed as soon as possible.
In the individual units, employees may agree to grant a colleague (such as a secretary) read access to their mailbox or parts of it. Such agreements should be made openly by the individual units.
If an employee leaves AU, regardless of the reason, AU has the right to access their mailbox for the purpose of accessing work-related correspondence – see ‘Accessing mailboxes of employees who have left AU’. It is recommended that an agreement on access to a mailbox be made before the employee leaves AU, and that the employee be given the chance to clear their private correspondence before access is granted. See ‘Accessing mailboxes of employees who have left AU’.
Blocking of email account
AU IT has the right to block an email account and immediately disconnect a given user’s computer if deemed necessary to maintain security, avoid legal violations or otherwise safeguard operations.
Personal data in emails
As a general rule, you should avoid sending sensitive and/or confidential personal data in emails.
If it is necessary to do so, you may email sensitive and/or confidential personal data internally at AU. You may also use AU’s email system to send confidential personal data to external recipients in accordance with the applicable data classifications. You may NOT send sensitive and/or large volumes of confidential personal data unencrypted to email systems outside AU. Instead, use AU’s secure mail platform. Read more here.
Staff should process emails containing sensitive and/or confidential personal data immediately — either by filing them and then deleting them from their mailbox or by deleting them once they have been read. Emails containing sensitive and/or confidential personal data must be deleted within 30 days of being received/sent. AU’s email and calendar system is not intended to serve as a repository of confidential or sensitive personal data.
Emails containing non-sensitive personal data must be deleted from the mailbox when there is no longer a lawful basis for storing the data.
Forwarding emails
As AU’s email and calendar system is used as a tool for case processing, emails circulating at AU may contain sensitive and/or confidential information. Emails from AU must therefore not be forwarded automatically to email systems, including private email accounts, outside AU (with the exception of the Royal Danish Library and Region Midt) such as Gmail, Hotmail/Outlook.com or Yahoo.
Personal data in AU’s calendar system
The calendar is a planning tool and should therefore not be used for processing sensitive and confidential information. For example, you may not enter civil registration numbers or information related to a person’s health, criminal history or sexual orientation in the calendar.
Non-sensitive personal data can be processed in the calendar, but you should make sure that you do not inadvertently disclose confidential or personal data. You should therefore only enter the information that is needed to use the calendar function. Always write the least possible information required for the task in the calendar. Personal data may only be displayed in the calendar as long as there are objective grounds to do so.
All employees’ calendars are, as a general rule, visible to other employees. This means that all employees can see the time, location and subject of other people’s meetings/appointments. This is due to the high priority given to collaboration and sharing of knowledge across the university.
Students cannot view staff calendars unless actively permitted by an employee. Staff cannot view student calendars as they are considered private. Likewise, students cannot view other students’ calendars unless actively permitted to do so.
Private appointments
Marking appointments as ‘Private’ in the calendar does not exempt you from the data protection rules. This means that confidential and sensitive information may not be entered in the calendar, even if appointments are marked as ‘Private’.
If you do not want an appointment to be visible, it should be marked ‘Private’. The subject, location, content, participant list and attachments cannot then be viewed by others. Others can still see that you are busy.
If you send a meeting request to others marked as private, please note that the other attendees can unmark the appointment as ‘Private’. This will happen, for example, if you book a room for the meeting. The system will automatically clear the ‘Private’ marking so that the subject is visible in the room calendar. When booking meetings, you should therefore always use neutral text in meeting titles.
AU IT protects email traffic as best it can by means of filters against viruses, malware and spam as well as regular security updates on computers. However, these measures alone cannot guarantee complete protection, and all email users are therefore expected to familiarise themselves with and be vigilant with respect to information security threats transmitted by email. Read more about what you can do to protect yourself against phishing and other security threats on the Information Security Department’s website.
Criminal activities
The use of email accounts and calendars for criminal activities of any kind, including (but not limited to) the distribution of pirate software, music and films or other circumvention of the Danish Copyright Act is prohibited. Nor may email accounts be used for illegal activities such as sending spam.
Commercial use
The use of email accounts and calendars for private commercial activities is prohibited. Approved commercial activities (such as AU subsidiaries) must have their own email domain, and clear guidelines must be prepared to ensure that employees send emails from the correct account, to avoid a confusion of roles.
It is up to the individual user to ensure that they do not damage AU’s reputation through their email use.
When an employee leaves AU, their email account is automatically deactivated when they are removed from the employee master data system, and a default automatic reply is set up. When an email account is deactivated, the former employee can no longer log in to their email account or send emails from it.
Before they leave, it is the responsibility of the local management to ensure that employees clean up their mailboxes, and that emails containing information that is relevant to the unit are forwarded to other users.
Once an employee has left, it is generally no longer possible to gain access to their mailbox. However, if it is necessary for work-related reasons, a manager (department head or deputy director) may grant access to mailboxes for a limited period (maximum one year after the employee leaves). The manager must justify this continued access in writing, and this written justification must be filed. The former employee must also be notified.
After 12 months, the mailbox and the automatic reply will be deleted automatically. The email address will remain unique and will not be reused.
Secrecy of correspondence
Emails are covered by secrecy of correspondence, see Section 263(1) of the Danish Criminal Code.
If an employee has left AU, the rules on secrecy of correspondence must therefore still be respected. A person who is granted access (see above) can therefore only read and copy work-related emails and appointments. Emails and appointments/meetings that are marked as private must not be opened. If an employee unwittingly opens an email or appointment/meeting marked ‘Private’, they must close the email or agreement/meeting immediately without reading the content.
Manual automatic reply
If an employee wishes to set up a manual automatic reply that is different from the one described – e.g. one that states their new/external email address – they must agree this with their local management before leaving AU. The content of the mailbox will still be deleted, cf. the deadlines stated above.
For those who stop working but continue as students at AU (such as student assistants or students enrolled in continuing education), special conditions apply. When an employee leaves but continues as a student, they must delete their work-related emails. It is easier to do this if they have stored their work-related emails in a separate folder. The termination of employment takes effect from the date on which the last employment relationship is removed in the employee master data system.
Students’ enrolment is terminated when they are no longer active students at AU. Students have access to their email and other IT systems for three months after their enrolment is terminated, after which access is closed and their emails are deleted.
For security reasons, only certain smartphones and tablets are supported and can be used to access AU email. As a general rule, phones and tablets with up-to-date versions of either Android or iOS are supported.
In order to use email on your phone/tablet, you must accept the following policy:
If you lose a phone/tablet connected to AU’s email system, you are obliged to notify your local IT support or report it as a security breach. Security breaches must be reported here.
If an employee needs to send information to multiple recipients (a mass email) outside Aarhus University, it is important that the recipients’ email addresses are handled appropriately. This also applies internally at AU if the content of the email and the list of recipients are confidential or sensitive.
In mass emails, the recipients must be anonymised so that no personal data is shared.
The email addresses of the recipients of mass emails must not be visible in the email itself. To ensure anonymity, the sender should always list the recipients’ emails in the bcc field.
As a general rule, students are not allowed to use their AU mail for mass emails unless a special arrangement has been made.