skip to content

IT Help and Support

University Information Services

The University’s Information Services Committee (ISC) has been preparing a new policy that will govern the allocation of University email addresses ending, @<domain> and @<subdomain.domain>
These pages contain updates and background information on how the draft policy is developing.

Latest news – July 2023

The Information Services Committee (ISC) received another draft of the policy at its meeting of 23 May 2023. This draft addressed comments received during the period of engagement with the Cambridge community on the draft policy received by the ISC in March 2023. More information on this is included in the last update.
This second iteration of the draft policy was endorsed by the Colleges’ IT Committee on 17 May 2023 and by the ISC on 23 May 2023. The General Board and the University Council considered the draft policy at their respective meetings of 7 and 19 June 2023. Both committees approved the policy, at the recommendation of the ISC, for a trial year in the first instance.
The policy will now be piloted with a small sample of volunteer institutions in the academic year 2023–24. This will allow further testing and refinement before any wider implementation. The ISC will review the policy in the light of the trial, and the experiences of the participating institutions, in spring 2024. It will then recommend any changes to the General Board and Council.

We will continue to provide updates on how the policy is developing during the trial year on these pages.

Why a new policy is needed

The University’s practices around the allocation of email addresses have grown organically over many years, and there is currently no formal policy governing exactly who is eligible for them.

Setting some parameters for access to University email addresses is important because it will contribute to the University’s ability to maintain its outstanding reputation, manage institutional risks (particularly around cyber security), protect personal and professional data, and provide necessary assurance to external partners.

Maintaining our reputation

Cambridge email addresses are a very public part of the University’s identity, and the work of the people who use them is integral to the reputation of our community. It follows therefore that email addresses should be given to those whose work or study contributes to the University’s mission. The policy will help us ensure that individuals who are given email addresses have a legitimate use for them, and that they and the University are not undermined by occasional, but nonetheless harmful, misuse. Thanks to the consultation we now know much more about the various types of people who should be eligible on this basis, and the policy will seek to include them.

Managing institutional risks

Cyber security is an increasing concern for the University, as it is for all organisations. Cyber attacks have the potential to cause severe and costly disruption to the University’s core activities, and to damage its reputation. Knowing who does, and who can have, a University of Cambridge email address plays an important part in managing secure access to our systems. The introduction of this policy will decrease our exposure to nefarious and criminal activity including hacking, identity and data theft, systems infiltration and even blackmail.

Data protection compliance

Good data protection within organisations is not only a legal but a moral imperative: the University cares about all those who work within it and study here, and wishes to protect their personal and professional data. The policy will help by creating a secure framework for the provision of email addresses and attached mailboxes, which contain individuals’ data, of which the University is (legally) the data controller. It will also help by requiring those using such accounts to abide by University data protection policies regardless of their status.

Providing assurance to external partners

The University is increasingly required by external partners such as research funders to demonstrate that it has adequate policies and technical controls to protect systems and data. This policy, and others in development, will improve our ability to do so.

Contact us

All updates on the progress of drafting the policy will be posted on these webpages, and significant updates will be published in the Reporter.

If you have any questions about the policy, the consultation, its development, or how it may affect you, please email