Carnegie Mellon University

User Practices

The following are best practices for users managing business related electronic data in Carnegie Mellon's computing environment. These practices should be followed to promote efficient retention of business records and to ensure easier compliance in the event that you receive a litigation hold.

  1. Send business related email using a Carnegie Mellon email account (e.g.,, or a departmental email account (e.g.,,  Personal email accounts such as (non-CMU) Gmail, Yahoo, or AOL should not be used for business-related communication. Using Carnegie Mellon email accounts and systems helps to provide an audit trail that might be useful in the event of a litigation hold.
  1. Organize data using separate folders for business related and personal data.  Further separations such as filing by project or topic can help to isolate potentially relevant items.
  1. Be aware of what systems are used to store your data - What email system do you use?  Do you keep local archives of email? Are your files stored on your local machine or on a network folder?
  1. Know whether or not your data is being backed up. It is typically safe to assume that email stored on servers is backed up.  Is your hard drive backed up? Is this done by your departmental computing group?  Do you back up your files yourself? If the hard drive is backed up, do you know what the backup retention policy is?
  1. Configure dual delivery if you forward your Carnegie Mellon email to a personal email account. Dual delivery is the process of delivering email to both your Carnegie Mellon email account and your personal email account. Dual delivery can be setup through Carnegie Mellon's web portal. 
  1. If using a mobile device for email, be sure to "cc" your university or departmental account on all university business correspondence.
  1. If using cloud storage (e.g. Box), use a licensed Carnegie Mellon service to store university Public and Private data.  In general, refrain from storing university Restricted data in cloud storage services, unless it's authorized by the appropriate Data Steward, in accordance with the university Cloud Computing Guidelines.

If encryption is used for email or file storage, ensure that a supervisor or another Carnegie Mellon authorized individual has the means to decrypt the data. Decryption keys or passwords can be placed in a personnel file, sealed in an envelope and stored in a safe location, etc.