Use of Non-Duke Email Accounts

Applicable To: 

Duke Health

Duke University

Version: 1.1

Duke Security Offices position statement on use of non-Duke email accounts:

• This is a recommended posture for Duke University faculty, staff and students.
• This is a required posture for Duke Health employees. (Am I Duke Health?)

Duke University, Health, and Kunshan faculty, staff, and students use their Duke-issued email account (including, but not limited to, @duke.edu, @dm.duke.edu, @mc.duke.edu, @dukekunshan.edu.cn, and other duke emails) for Duke-related communications, including academic and research-related work. 

Users should avoid: 

1. Using Duke email systems for personal use, this includes sending or receiving messages unrelated to Duke academic, business, or research-related activities. 

2. Using external email accounts, including personal email accounts on services such as Google Gmail, for sending or receiving Duke business, academic, or research-related messages. This includes avoiding the use of automatic forwarding to send Duke email to an external email account. 

The Duke Security Offices discourage the use of external email accounts due to the following risks: 

• Duke data that is transmitted and stored on non-Duke systems, which may lack the same security or privacy posture as Duke systems, thereby increasing the risk of data exposure. 

• Use of external email accounts may violate regulations, policies, standards, or agreements pertaining to specific protected or confidential data due to comingling/mixing of data that may be accidentally shared with non-authorized individuals. Violation of regulations or contractual obligations may expose you to personal liability. 

• The Duke Security Offices are unable to verify the controls implemented on external systems, such as encryption or other safeguards.  Duke is also unable to aid in suspected security issues with external email accounts, such as phishing or account compromise. 

• External email accounts used for Duke business, academic, or research-related activities may undergo review or interruption due to legal holds, investigations, or other legal processes. 

Faculty, staff, and students are required to comply with applicable regulations, Duke policies or standards (Confidentiality Agreement), or other agreements that may prohibit sending or receiving certain types of data via email or that may require specific security practices when sending the data to external vendors or partners. 

Security Offices position statements outline the ISO/ITSO's view on security-related topics and provide guidance concerning Duke standards.

Updated: 01/2024
Document Type: Other