Jisc banner

Image of JISCMail logo w/ link to homepage
Email discussion lists for the UK Education and Research communities

Service Policies

1. Introduction

JiscMail supports communication, collaboration and the free-flowing exchange of ideas through email lists primarily for the benefit of UK further and higher education and research communities.

Your use of the service is subject to Janet's Acceptable Use Policy, available at: https://community.jisc.ac.uk/library/acceptable-use-policy and to UK laws. JiscMail reserves the right to remove any message, user or list that, in our opinion, violates any section of this policy.

Subject to compliance with the Data Protection Act 1998 we may also disclose information necessary to operate our systems, run the service, comply with the law, or protect the service and its users.

We routinely review this policy to ensure it reflects our services, funding and the needs of the wider educational community, and changes to it will be communicated on our website.

By using JiscMail you accept these conditions so please read them carefully.

[Return to Top]

2. Using JiscMail

[Return to Top]

3. Ethics

We endeavour to operate JiscMail to the highest standards and our relationship with you is based on trust. We expect your conduct when using JiscMail to be legal and honest and we will take action against anyone whose activities are found to violate this request.

When using JiscMail you are not permitted to:

JiscMail does not control or bear any liability for the content of messages you or others post to lists, it acts as a conduit for messages and we are not liable for the conduct of any other JiscMail user. JiscMail neither moderates nor edits messages before they are posted to the list.

[Return to Top]

4. Role of List Owners

Each JiscMail list is managed and owned by one or more individuals, referred to as "List Owners". At least one owner of each list must work within the UK academic and research community. List Owners are expected to manage their lists fairly and for the benefit of the majority of their list’s subscribers.

For the purpose of satisfying Data Protection requirements, as detailed in the UK Data Protection Act 2018, each List Owner is the Controller of the personal data held within their respective lists. Jisc's obligations as a Processor of this data can be found in Section 12: Data Protection Schedule.

In addition to the above, List Owners are specifically responsible for:

The JiscMail Helpline is always available to assist or provide guidance on any of these tasks.

[Return to Top]

5. Mailing List Privacy Notice

Every new mailing list has a default Privacy Notice, the notice explains how information (provided by subscribers, when joining a mailing list or using a mailing list) is used, stored and (in some cases) shared, and how it can be removed.

The notice reads:

To update the wording of the policy on your mailing list contact help@jisc.ac.uk.

[Return to Top]

6. Content of Messages

Sending messages to JiscMail lists is a matter of common sense, use your own sense of what is appropriate to guide your conduct without engaging in unreasonable behaviour or disrupting the general flow of discussion on a list (see Section 3: Ethics).

You are responsible for the content of the message(s) you post to JiscMail lists, they should be courteous and relevant to the list topic. Private (off-list) correspondence should not be posted to lists, without first seeking permission from each correspondent involved.

JiscMail cannot assume any responsibility for the content of any messages sent to lists other than those from JiscMail themselves and we do not review, screen or edit the content.

List Owners may also provide their own guidelines for acceptable use and list etiquette and we expect list members to abide by these.

Security

The security of messages sent to JiscMail cannot be guaranteed due to the nature of the internet; you should bear this in mind when posting confidential information to a list, even when access to the list is restricted.

Anti-Spam Measures

Promotional messages should only be sent to a list if it is related to the subject or purpose of that list or of potential interest to list members, such as: new releases of software packages, publications, training courses, websites, job vacancies, conferences, etc. If in doubt always check with the List Owner (See Section 4: Role of List Owners).

JiscMail does not allow subscribers to post spam, junk mail, chain letters or other unsolicited bulk email, to lists.

Avoid posting the same message to several lists at the same time as this can be misinterpreted as spam, which will result in your messages being rejected and your account being blocked for 48 hours.

We cannot guarantee to block all spam, but the following are used to protect against spam on JiscMail:

Copyright

Further information on copyright is available from the Jisc website, Guide to Copyright Law or visit The UK Copyright Licensing Agency.

[Return to Top]

7. Mailing List Archives

Messages you post to JiscMail lists may be archived by the list (visible on the JiscMail website) and also by individual list subscribers (stored in subscriber email accounts).

The confidentiality and privacy of JiscMail archives is determined by the List Owner (not JiscMail). The default welcome message, which is sent to new subscribers, describes the privacy setting on the mailing list archive.

The different archive setting are:

To protect the rights of current and previous subscribers a list is not permitted to change the archive privacy settings from private to public.

It is your responsibility as a subscriber to find out how the list archives are managed before you post to a list.

[Return to Top]

8. Mailing List Etiquette

Our simple guidelines for getting started with JiscMail mailing lists, If in doubt check with the List Owner (See Section 4: Role of List Owners).

Further information on mailing list etiquette is available from the BBC.

[Return to Top]

9. Limitations

JiscMail cannot make guarantees about the speed or proportion of emails sent that will be delivered, or that HTML messages will display properly when viewed by all subscribers.

Delivery of emails is dependent upon accurate and up to date email addresses, suitable internet availability and connectivity, anti-spam and junk mail policies adopted by the recipients email service providers as well as restrictions regarding the content, wording and graphics of an email.

JiscMail does not control or bear any liability for the content of messages you or others post to lists, it acts as a conduit for messages and we are not liable for the conduct of any other JiscMail user. JiscMail neither moderates nor edits messages before they are posted to the list.

JiscMail cannot assume any responsibility for the content of any messages sent to lists other than those from JiscMail themselves and we do not review, screen or edit the content.

Service Limitations

Our service providers, L-Soft, host JiscMail servers and provide communication services. We will use all reasonable endeavours to ensure L-Soft provides its services at or above industry standards. L-Soft does not guarantee that JiscMail will be uninterrupted, error, bug or virus free or that the delivery or emails will be without delay. It may be necessary to temporarily suspend JiscMail services to carry out maintenance; such suspensions will be limited and will take place as much as possible outside core working hours. We may also be suspended (in whole or part) where L-Soft is obliged to comply with an order, instruction or request of government, a court or other competent administrative authority or an emergency service organisation.

Service Performance

From time to time we may need to take the service offline, to carry out essential upgrades, and changes to make the service even better. We inform List Owners of planned downtime through our OWNERS-ANNOUNCE mailing list.

If, at any time, we notice any issues with the performance of the service, we endeavour to notify users as quickly as possible. We do this using our Service Status (traffic lights) on our website homepage, https://www.jiscmail.ac.uk and post updates to our social media accounts, Facebook and Twitter.

[Return to Top]

10. Data Protection

JiscMail is operated by Jisc and is registered for compliance under the Data Protection Legislation (as described in Section 12: Data Protection Schedule)

The Data Protection Schedule sets out JiscMail's obligations to each List Owner (the data Controller) with regard to any Personal Data it processes on behalf of the List Owner. In the event of any conflict between the Data Protection Schedule and any other provision of these service policies, the relevant provision of the Data Protection Policy shall take precedence.

[Return to Top]

11. Violating this policy

If you suspect that a JiscMail user has violated this policy - contact the JiscMail helpline as soon as possible by emailing help@jisc.ac.uk or telephoning 0300 300 2212.

The decision on what action to take will be made by JiscMail on a case by case basis and will often depend on whether the infringement was innocent, inadvertent or intentional. The decision whether to take action, and if so, which action, is at JiscMail’s discretion.

Abusive or threatening messages sent to any JiscMail list, or to JiscMail Helpline staff will be treated as a violation of this policy.

We may take any of the following actions as deemed appropriate:

Disagreements between members of a list regarding list management should be taken up with the List Owner.

[Return to Top]

12. Data Protection Schedule

As each List Owner is the Controller of any personal data that is made available by a user via a list they own, then JiscMail acts as the Processor, processing this data on behalf of the List Owner. As such, current Data Protection Legislation requires that there be a written agreement between the Controller (List Owner) and Processor (JiscMail) that sets out the Processor obligations with regard to this Processing. This schedule describes the Processor obligations.

DEFINITIONS

1 The following definition apply to this Data Protection Schedule

Agreement

means the agreement between Jisc and the Customer for the provision of the service;

Applicable EU Law

any law of the European Union (or the law of one of the Member States of the European Union);

Controller, Processor and Data Subject

Shall have the meaning given to those terms in the UK Data Protection Act 2018;

Data Protection Legislation

means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the processing of data to which a Party is subject, including, primarily, the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR), but also the GDPR where data concerns EU citizens; and (b) any code of practice or guidance published by the Regulator from time to time;

Data Protection Particulars

means, in relation to any Processing under this Agreement:

(a) the subject matter and duration of the Processing;

(b) the nature and purpose of the Processing;

(c) the type of Personal Data being Processed; and

(d) the categories of Data Subjects.

Data Subject Request

means an actual or purported subject access request or notice or complaint from (or on behalf of) a Data Subject exercising his/her rights under the Data Protection Legislation;

Data Transfer

means transferring the Personal Data to, and/or accessing the Personal Data from and/or Processing the Personal Data within, a jurisdiction or territory that is a Restricted Country;

GDPR

means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;

Permitted Purpose

means the purpose of the Processing as specified in the Data Processing Particulars;

Personal Data

has the meaning given to it in the GDPR and for the purposes of this Agreement includes Sensitive Personal Data;

Personal Data Breach

has the meaning given to it in the GDPR and, for the avoidance of doubt, includes a breach of Clause 4.1.3;

Personnel

means all persons engaged or employed from time to time by Jisc in connection with this Agreement, including employees, consultants, contractors and permitted agents;

Processing

has the meaning given to it in the GDPR (and "Process" and "Processed" shall be construed accordingly);

Regulator

means the UK Information Commissioner's Office (including any successor or replacement body);

Regulator Correspondence

means any correspondence or communication (whether written or verbal) from the Regulator in relation to the Processing of Personal Data;

Restricted Country

means a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 25(2) of the DP Directive and/or  Article 45(1) of the GDPR (as applicable):

Security Requirements

means the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation (including, in particular, the seventh data protection principle of the DPA and/or the measures set out in Article 32(1) of the GDPR (taking due account of the matters described in Article 32(2) of the GDPR)) as applicable;

Sensitive Personal Data

means Personal Data that incorporates such categories of data as are listed in Article 9(1) of the GDPR;

Service

means the JiscMail service;

Schedule

means this schedule which forms part of the Agreement.

Third Party Request

means a written request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulation;

2. ARRANGEMENT BETWEEN THE PARTIES

2.1 The Parties shall each Process the Personal Data in accordance with the terms of this Schedule. The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Legislation. Notwithstanding the foregoing, the Parties anticipate and agree that the List Owner shall act as Controller and Jisc shall act as Processor, as follows:

2.1.1 The List Owner shall be a Controller where it is Processing the Personal Data in relation to the services being supplied by Jisc; and

2.1.2 Jisc shall be a Processor where it is Processing the Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under these service terms

2.2 Each of the Parties acknowledges and agrees that the following table sets out an accurate description of the Data Protection Particulars;

The subject matter and duration of the Processing

JiscMail, the national academic mailing list service, provides email discussion and announcement lists which enable groups of individuals to communicate and collaborate on a local, national or international level using dedicated email discussion and announcement lists.

The duration of the Processing will be for the term of the Service agreement between the List Owner and Jisc.

The nature and purpose of the Processing

The Personal Data will be Processed in order to provide the Service ordered by the List Owner.

The categories of Data Subjects

The Data Subjects are the users of JiscMail

3. CONTROLLER OBLIGATIONS

3.1 As the Controller in respect of the Processing of the Personal Data, the List Owner shall ensure that:

3.1.1 It is not subject to any prohibition or restriction which would prevent or restrict it from disclosing or transferring the Personal Data to Jisc in accordance with the terms of this Schedule; and

3.1.2 all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow the List Owner to disclose the Personal Data (including any Sensitive Personal Data) to Jisc for the delivery of the Service in accordance with the Data Protection Legislation.

4. PROCESSOR OBLIGATIONS

4.1 Jisc (as a Processor in relation to any Personal Data Processed by (or on behalf of) the List Owner pursuant to the Agreement) undertakes to the List Owner that it shall:

4.1.1 Process the Personal Data for and on behalf of the List Owner in connection with the performance of the Service only and for no other purpose in accordance with the terms of this Agreement and any instructions from the List Owner;

4.1.2 unless prohibited by law, promptly notify the List Owner (and in any event within forty-eight (48) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable EU Law to act other than in accordance with the instructions of the List Owner, including where it believes that any of the List Owner's instructions under Clause 4.1.1 infringes any of the Data Protection Legislation;

4.1.3 implement and maintain appropriate technical and organisational security measures to comply with at least the obligations imposed on a Controller by the Security Requirements. If requested by the List Owner, Jisc will provide a description of the technical and organisational security measures that Jisc will implement and maintain;

4.1.4 take all reasonable steps to ensure the reliability and integrity of any of the Personnel who shall have access to the Personal Data, and ensure that each member of Personnel shall have entered into appropriate contractually-binding confidentiality undertakings;

4.1.5 notify the List Owner promptly, and in any event within forty-eight (48) hours, upon becoming aware of any actual or suspected, threatened or 'near miss' Personal Data Breach, and:

a. implement any measures necessary to restore the security of compromised Personal Data;

b. assist the List Owner to make any notifications to the Regulator and affected Data Subjects;

4.1.6 notify the List Owner promptly (and in any event within ninety-six (96) hours) following its receipt of any Data Subject Request or Regulator Correspondence and shall:

a. not disclose any Personal Data in response to any Data Subject Request or Regulator Correspondence without the List Owner's prior written consent; and

b. provide the List Owner with all reasonable co-operation and assistance required by the List Owner in relation to any such Data Subject Request or Regulator Correspondence;

4.1.7 not disclose Personal Data to a third party in any circumstances without the List Owner's prior written consent, other than:

a. in relation to Third Party Requests where Jisc is required by law to make such a disclosure, in which case it shall use reasonable endeavours to advise the List Owner in advance of such disclosure and in any event as soon as practicable thereafter, unless prohibited by law or regulation from notifying the List Owner;

b. to Jisc's employees, officers, representatives and advisers who need to know such information for the purposes of Jisc performing its obligations under this Agreement and in this respect Jisc shall ensure that its employees, officers, representatives and advisers to whom it discloses the Personal Data are made aware of their obligations with regard to the use and security of Personal Data under this Agreement; and

c. to a sub-contractor appointed in accordance with Clause 5.

4.1.8 not make (nor instruct or permit a third party to make) a Data Transfer without putting in place measures to ensure the List Owner's compliance with Data Protection Legislation;

4.1.9 on the written request of the List Owner, and with reasonable notice, allow representatives of the List Owner to audit Jisc to ascertain compliance with the terms of this Clause

a. the List Owner shall only be permitted to exercise its rights under this Clause 1.9 no more frequently than once per year (other than where an audit is being undertaken by a List Owner in connection with an actual or 'near miss' Personal Data Breach, in which case, an additional audit may be undertaken each year by the List Owner within thirty (30) days of the List Owner having been notified of actual or 'near miss' Personal Data Breach):

b. each such audit shall be performed at the sole expense of the List Owner;

c. the List Owner shall not, in its performance of each such audit, unreasonably disrupt the business operations of Jisc;

d. the List Owner shall comply with Jisc's health and safety, security, conduct and other rules, procedures and requirements in relation to Jisc's property and systems which have been notified by Jisc to the List Owner in advance; and

e. in no case shall the List Owner be permitted to access any data, information or records relating to any other List Owner of Jisc.

4.1.10 except to the extent required by Applicable EU Law, on the earlier of:

a. the date of termination or expiry of the Agreement (as applicable); and/or

b. the date on which the Personal Data is no longer relevant to, or necessary for, the performance of the Service,

cease Processing any of the Personal Data and, within sixty (60) days of the date being applicable under this Clause 4.1.10, return or destroy (as directed, in writing, by the List Owner) the Personal Data belonging to, or under the control of, the List Owner and ensure that all such data is securely and permanently deleted from its systems, provided that Jisc shall be entitled to retain copies of the Personal Data for evidential purposes and to comply with legal and/or regulatory requirements;

4.1.11 comply with the obligations imposed upon a Processor under the Data Protection Legislation; and

4.1.12 assist the List Owner in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to Jisc, provided that Jisc shall be entitled to charge a fee to the List Owner (on a time and materials basis and at such rate notified by Jisc to the List Owner from time to time) in respect of providing any such assistance to the List Owner.

4.2 Notwithstanding anything in this Agreement to the contrary, this Clause 4 shall continue in full force and effect for so long as Jisc Processes any Personal Data on behalf of the List Owner.

5. SUB-CONTRACTORS

5.1 Jisc may from time to time use sub-contractors to perform all or any part of its obligations under this schedule. Jisc shall notify the List Owner prior to appointing a sub-contractor. The List Owner may object to the appointment of any sub-contractor and Jisc shall reasonably take into account the views of the List Owner in appointing any such sub-contractor, but for the avoidance of doubt the appointment of any sub-contractor shall be at Jisc's absolute discretion and Jisc shall have no obligation to act in accordance with any objection raised by the List Owner. Information regarding the sub-contractors Jisc uses from time to time in connection with the performance of the Service can be found on the Service website.

5.2 Jisc may from time to time disclose Personal Data to its sub-contractors (or allow its sub-contractors to access Personal Data) for Processing solely in connection with the fulfilment of the Permitted Purpose.

5.3 Where Jisc uses a sub-contractor to Process Personal Data for or on its behalf, it will ensure that the sub-contractor contract (as it relates to the Processing of Personal Data) is on terms which are substantially the same as, and in any case no less onerous than, the terms set out in Clause 4 of this schedule.

5.4 Jisc shall remain liable to the List Owner for the acts, errors and omissions of any of its sub-contractors to whom it discloses Personal Data, and shall be responsible to the Customer for the acts, errors and omissions of such sub-contractor as if they were Jisc's own acts, errors and omissions to the extent that Jisc would be liable to the List Owner under this Agreement for those acts and omissions.

[Return to Top]

13. Amendments

JiscMail reserves the right to amend these Service Policies at any time without notice. If the policy is amended then all List Owners will be informed and they may distribute the information to list members.

This policy was last updated on 11 October 2021 - The role of list owners (Section 4: Role of List Owners) has been amended, for clarity, and applicable legislation has been amended in the Data Protection Schedule Section 12: Data Protection Schedule.

[Return to Top]