If you use your UVM account or device for your own personal use, even if it’s incidental or occasional, READ THIS! 

In an industry like higher education, we recognize that the lines between personal and professional life can blur—especially in a world where smartphones, cloud apps, and hybrid work are the norm. While UVM allows for occasional and incidental personal use of university resources, it is important to understand the privacy implications that come with that flexibility. 

This isn’t about surveillance. It’s about protecting you, your privacy, and your information and data. 

Here are some important guidelines to follow:

What the Policy Says—and What It Implies: 

UVM’s Privacy Policy and Information Security Policy are clear: employees are expected to safeguard Non-Public Protected Data (NPPD), which includes anything from student and employee records to health information, financial data, social security numbers, and more. But, even when you’re not handling sensitive data, your use of university systems and technology for personal use can have unintended consequences. 

Let’s explore a few common scenarios that aren’t always spelled out in policy—but are very much touched by it. 

Personal Apps on University Devices:

Installing, using, or logging into a personal iMessage, Gmail, or other communication app on your university-owned laptop or phone might seem harmless. But if that device is ever subject to a public records request or legal discovery, your personal messages could be swept up in the process. That’s not a scare tactic—it’s a reality. While it would be unlikely that your personal communications would need to be disclosed under the Vermont Public Records Act, in the event of a request, someone at UVM may need to parse through communications to determine what is responsive.  

Tip: Keep personal communications on personal devices and in personal accounts whenever possible. 

Forwarding Work Emails to Personal Accounts: 

While UVM is working to address auto-forwarding more broadly, until that happens, you should know the risk should you choose to forward emails to your personal account. If you forward emails from your @uvm.edu or @med.uvm.edu account to a personal email address like Google, Yahoo or a non-UVM instance of Outlook, those messages may lose their protected status and, depending on the content of the emails, it could also leave UVM systems vulnerable. In the event of litigation or a public records request, you could be required to disclose personal content from your private inbox if it contains university-related information and, again, while it is unlikely personal communications would be responsive, it would still require someone to go through and make that determination. Also, as an unintended consequence, if there is harmful content like malware or a virus in the forwarded email, that could spread to your personal email account causing disruption to both your personal and your UVM accounts. 

Tip: Avoid forwarding work emails to personal accounts. Use UVM-approved platforms for university business and use personal accounts for personal business. 

Shared Devices and Family Access: 

Letting your child or partner use your smartphone might seem convenient—but if that phone has your UVM Outlook or Teams account logged in, it could lead to unauthorized access to confidential information. Depending on the data type and whether it is regulated, even accidental exposure could be considered a privacy or data breach and require reporting to law enforcement or government agencies. 

Tip: Use device-level security (like biometrics or PINs) and avoid sharing devices that access university systems. 

Using Your UVM Email Account for Personal Accounts: 

Signing up for your bank, social media, or streaming services with your @uvm.edu or @med.uvm.edu email address might make password management easier—but it also means those communications could be considered public records. If your inbox is ever reviewed, those messages could be included. If you were to become incapacitated or otherwise unable to login to these personal accounts, UVM would be unable to provide access to a trusted family member, executor, or your power of attorney. This means that they would be unable to retrieve any sort of password reset requests for those personal accounts leaving them locked out and unable to handle critical business matters. 

Tip: Use a personal email address for all non-work-related accounts. 

Why It Matters: 

UVM’s policies are designed to protect both the university and you. When personal and professional data mix, it becomes harder to defend privacy boundaries. And while the university would not monitor your email or Teams messages without cause, there is no expectation of privacy¹ when using university resources. The university has legal obligations like public records requests and litigation holds that would require it to respond, and this response could include accessing your email or Teams messages. 

Drawing bright lines between personal and professional use isn’t just a best practice—it’s a safeguard for your own privacy, your colleagues’ confidentiality, and the university’s compliance with state and federal laws. 

Final Thoughts: 

We want to support you in making thoughtful choices. By keeping personal matters within your personal accounts and work matters within university systems, you can help minimize risks, maintain your privacy, and honor the trust that comes with handling university information responsibly. 

If you have questions or need help navigating these boundaries, the Office of Compliance & Privacy Services is here to support you.