Overview
University-owned computing resources, including email accounts, are provided exclusively for the purpose of conducting University-related activities. Per University Policy AO 10 (Access to and Use of University Computing Resources), these systems are University property and must be used only in support of the University’s mission. Because University accounts are tied to the employment or enrollment relationship, access ends when that relationship ends. This standard describes how Pitt Digital, as administrator of Pitt Email (Microsoft Exchange), handles requests for account access, email forwarding, and automatic replies.
⚠ IMPORTANT: NO DIRECT THIRD-PARTY ACCESS TO UNIVERSITY EMAIL ACCOUNTS
Pitt Digital does NOT grant direct access to University email accounts to any third party, under any circumstances, without explicit written authorization from the Office of University Counsel (OUC).
This prohibition applies universally and without exception to:
- Spouses, domestic partners, and significant others — regardless of any claimed emergency or personal circumstances
- Parents, family members, and next of kin — even for student accounts
- Personal representatives, estate executors, or attorneys — absent a lawfully issued court order or subpoena
- Colleagues, supervisors, or department heads — who have not been granted access through the formal approval process
The primary exception is for Pitt departments requiring business continuity. Departments may request a .pst archive export of a departed employee’s mailbox through the Technology Help Desk, subject to appropriate management approval. Direct live account access is granted only in rare instances with explicit OUC authorization.
Requests that do not meet these criteria will be declined. This is not a matter of administrative discretion; it is required by University policy and federal and state law (see Privacy and Legal Framework below).
Out of Office Automatic Replies
✓ Recommended action for departments at termination or account disablement
Setting up an automatic reply at the time of account termination or disablement is strongly recommended for all departments. A properly configured auto-reply redirects incoming senders immediately, reducing the volume of requests to IT and security teams for account access, and in many cases eliminating the need for such requests entirely. Departments should coordinate with their unit administrator to ensure an auto-reply is in place before or at the point the account is disabled.
This step is also included in the Staff Separation Guide for Supervisors published by the Office of Human Resources.
When setting out-of-office messages for departing faculty and staff, the approved verbiage is as follows unless otherwise requested by the department:
Thank you for your message. The individual you are trying to reach is no longer affiliated with the University of Pittsburgh.
For assistance locating people at Pitt, please refer to the University’s Contact Us page.
Forwarding of Email Messages
Pitt Digital will not cause email messages to be forwarded to any address other than the address to which the message was originally intended. Active University students, faculty, and staff may configure a forwarding address for messages destined to their assigned University mailbox. If a message is undeliverable, a bounce notice will be sent to the original sender.
Pitt Digital will not forward email sent to the accounts of terminated faculty or staff. Because University email accounts are provided solely for conducting University-related activities, the email relationship and any associated forwarding terminates when the employment or enrollment relationship ends. It is the responsibility of the unit administrator or designee to notify relevant parties of the change in contact information and ensure that University business communications are redirected appropriately before the departure date.
Access and Retrieval of Stored Email Messages
University-owned computing equipment, networks, services, and resources, including email (collectively, the “system”), are provided for the purpose of conducting University-related activities and are therefore considered University property. As owner of the system, the University retains the right to access email messages as it deems necessary and appropriate. Employees and students should not expect individual privacy when using the system for personal matters.
Pitt Digital will provide access to stored email archives only:
- For business continuity purposes — with appropriate departmental authorization (typically from a unit administrator or above)
- In response to a lawfully issued subpoena, court order, or legal hold — coordinated through the Office of University Counsel
- With explicit approval from the Office of University Counsel (OUC) in rare circumstances
When a mailbox archive is provided for business continuity, the standard delivery method is a .pst formatted file. Direct, live account access will not be granted except in rare instances with OUC approval.
This applies to all individuals no longer affiliated with the University, including terminated employees, retired faculty, and former students. The University does not maintain access to departed users’ email for the benefit of third parties, as these accounts were provided solely for University-related activities.
Privacy and Legal Framework
The University’s restrictions on third-party email access are grounded in both internal policy and multiple layers of federal and state law. Together, these create a strong legal and ethical obligation to protect the contents of University email accounts.
University Policies
Governing University Policies — policy.pitt.edu
AO 10 — Access to and Use of University Computing Resources
Establishes that University computing resources, including email, are provided solely for University-related activities. Unauthorized access or use outside this purpose is prohibited. (Effective March 5, 2024)
AO 35 — University Administrative Computer Data (UACD) Security and Privacy
Establishes data security standards and practices for the protection of University administrative computer data from unauthorized disclosure. Applies to all users of University administrative computer data.
AO 48 — University Information Security
Establishes a comprehensive information security framework to safeguard the confidentiality, integrity, and availability of all University information, including student records, research data, intellectual property, and health records. Providing unauthorized third-party access directly undermines this framework. (Effective August 5, 2025)
Federal Law
Family Educational Rights and Privacy Act (FERPA) — 20 U.S.C. § 1232g
FERPA protects the privacy of student education records. University email frequently contains communications related to student records, grades, academic standing, financial aid, and disciplinary proceedings. Disclosure to third parties, including parents of adult students, is prohibited without the student’s written consent, absent a specific FERPA exception.
Gramm-Leach-Bliley Act (GLBA) — FTC Safeguards Rule — 15 U.S.C. §§ 6801–6809
As an institution participating in federal student financial aid programs, the University is considered a “financial institution” under GLBA. The FTC Safeguards Rule requires the University to protect non-public personal financial information (NPI), including financial aid records, billing, and payment data, that may reside in University email accounts. Granting unauthorized third-party access could constitute a violation of the University’s GLBA compliance obligations.
Electronic Communications Privacy Act (ECPA) — Stored Communications Act (SCA) — 18 U.S.C. §§ 2510–2712
The Stored Communications Act specifically restricts unauthorized access to and disclosure of stored electronic communications, including email. It is a federal offense to access stored electronic communications without authorization. Access may only be compelled through valid legal process (subpoena, court order, or search warrant).
Health Insurance Portability and Accountability Act (HIPAA) — 42 U.S.C. § 1320d et seq.
For University employees affiliated with UPMC or Pitt’s health sciences programs, University email may contain Protected Health Information (PHI). HIPAA strictly prohibits disclosure of PHI to unauthorized parties.
Computer Fraud and Abuse Act (CFAA) — 18 U.S.C. § 1030
The CFAA makes it a federal crime to access a protected computer system, including University email servers, without authorization. Granting access to an account without proper legal authority does not insulate the University and may constitute facilitation of unauthorized access.
Pennsylvania State Law
Pennsylvania Breach of Personal Information Notification Act — 73 P.S. § 2301 et seq.
Pennsylvania law requires notification of individuals when their personal information is disclosed or breached. Unauthorized disclosure of University email contents, which routinely contains personally identifiable information, could trigger notification obligations under this statute and expose the University to state regulatory action.
Forwarding of Email Messages for Deceased Faculty
University departments are responsible for contacting the Technology Help Desk to notify Pitt Digital of a faculty member’s death and to provide contact information for individuals who will handle correspondence intended for the deceased faculty member. After receiving notification from the department, Pitt Digital will:
- Discontinue any existing mail forwarding on the account
- Create an automatic reply message directing correspondence to the designated contacts
The text of the automatic reply will read as follows:
This email account is no longer active. If your message is a personal matter, correspondence can be directed to [email address/phone number]. If this is a University-related matter, please contact [email address/phone number].
For alumni and emeritus faculty accounts, the requesting party must provide documentation establishing their legal right to act on behalf of the deceased or incapacitated account holder. Acceptable documentation includes Letters Testamentary, Letters of Administration (Executor of Will or Estate), or a Durable Power of Attorney. Requests without such documentation will not be honored.
Related Policies and Legal References
University Policies (policy.pitt.edu):
Human Resources:
Federal Law:
Pennsylvania State Law:
Questions regarding this standard should be directed to the Technology Help Desk. Legal questions regarding subpoenas, court orders, or estate matters should be directed to the Office of University Counsel.