University of California, Riverside


E-mail Security

Guidelines, Requirements, Best Practices – E-mail Security, Privacy, and Protection of Sensitive Information

  • E-mail – Insecure Platform. E-mail is inherently an insecure communications tool.  Therefore, when using e-mail, UCR faculty, staff, and students should consider the sensitivity of the information they are transmitting and take appropriate steps to ensure the privacy and confidentiality of their communications.

  • E-mail Prohibited by Law / UC Policy.  Importantly, some types of data are protected by federal/state law and UC policy.  For example, unencrypted medical information, social security numbers, credit card numbers, driver license numbers, etc. may NEVER be sent via e-mail.  Questions relating to the electronic transmission of this type of data should be addressed to Computing and Communications.
  • E-mail and Sensitive Information – Guidelines and Best Practices.  In some cases, the transmission of sensitive data (e.g. employee ID number) is required to meet a legitimate university operational need.  When a business requirement exists, the following guidelines and best practices must be followed:
    • General Commitment to Privacy and Confidentiality.  When transmitting sensitive data via e-mail (e.g. names, identification numbers, student data, salary information), UCR faculty, staff, and students should adopt practices and approaches that ensure the privacy and confidentiality of the data in question.  For example, “to” addresses, courtesy copies, etc. should be thoroughly reviewed prior to sending an e-mail containing sensitive information.
    • Business Requirement.  Sensitive information should only be transmitted via e-mail when clear a business requirement exists for such communications.
    • Anonymize Data.  Whenever possible, sensitive data should be anonymized (e.g. names, identification numbers, etc. should be removed).
    • Forwarding E-mail.  E-mail containing sensitive information should not be forwarded unless a clear business / operational requirement exists and the original sender has provided consent.
    • Remove Data After Review / Use.  When appropriate, UCR faculty, staff, and students should remove sensitive data from their computers / tablets / smart phones after it is reviewed and the business need in question is addressed.
    • Limit Transmissions to UCR Mail Servers if Possible.  UCR faculty, staff, and students should only send sensitive data to off-campus, non-UCR managed mail servers when a clear business requirement exists to do so.
    • Use File Sharing Tools if Possible. When appropriate, UCR faculty, staff, and students should use other tools (e.g. networked drives and file shares) as an alternative to transmitting sensitive data via e-mail.

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541