Google Privacy and Security
The Defiance College-Google Apps for Education (Google) agreement generally provides for the privacy and security of Defiance College (DC) data in the DC Google suite of services. The Google agreement provides the following assurances to faculty, staff, students, and alumni:
- Google does not own your data
- Google secures your data
- Google retains the data only as long as you want them to
- Google deletes the data when you ask them to
Generally, you may use Google to conduct activities that align with your role at the
College, so long as you follow DC's Computer Policy, and adhere to the guidance for Google and Regulated/Sensitive Data.
For more, visit the Google Apps for Education Security & Privacy webpage.
Google and Regulated/Sensitive Data
- Export Controlled Research
Export controlled research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism or non-proliferation. Encompassing laws, statutes, or regulatory agencies include International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and the Office of Foreign Assets Control Regulations (OFAC). Specifically, these requirements include restricting research data access to U.S. citizens and licensed foreign nationals, and storing it within U.S. borders.
Because Google has an internationally distributed storage environment and unlicensed foreign nationals supporting the systems, DC Faculty and Researchers should not collect, process, share or store export controlled research data in the Google environment.
- Federal Information Security Management Act (FISMA)
FISMA requires federal agencies to develop, document, and implement security programs for IT systems that support the agency, including systems that are provided or managed by another entity. One of the FISMA requirements is that the data is stored within U.S. borders.
Because Google has an internationally distributed storage environment, DC faculty and researchers should not collect, process, share or store FISMA data in the Google environment.
- Electronic Protected Health Information (ePHI)
ePHI is individually identifiable health information, in electronic form, as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA also requires a contractual arrangement (typically known as a Business Associate Agreement) be made with service providers that perform functions or activities that involve the use or disclosure of ePHI on behalf of a HIPAA-covered entity, or that provide services to such an entity.
The Google Apps for Education Agreement does not include a specific business associate agreement or incorporate such language into the Agreement. Therefore, ePHI should not be collected, processed, shared or stored in the Google environment.
- Payment Card Data
The payment card industry created the data security standards (PCI-DSS) for organizations that process, store or transmit cardholder data. The DC Business Office has overall responsibility for the oversight of payment card services, and is the owner of PCI compliance for the college.
The Business Office mandates that users must not store cardholder data on any college system without approval. By extension, this means that Google should not be used to collect, process or store payment card data.
- Gramm Leach Bliley Act (GLBA)
GLBA requires financial institutions, including higher education institutions to safeguard sensitive data. DC complies with the security of customer data as outlined in the Gramm Leach Bliley Act.
Similar to the ePHI analysis, because Google will not agree to a GLBA specific non-disclosure and security safeguard provision, it should not be used to collect, process or store GLBA data.
- Family Educational Rights and Privacy Act (FERPA)
Under the Google Apps for Education agreement, Google is deemed a "school official" and will comply with its obligations under FERPA. Therefore, FERPA data may be collected, processed or stored in the Google environment.
However, DC faculty and staff are reminded of their own obligations to protect FERPA data and only share such data with the student and those who have a legitimate education-related interest. Student data should never be made publicly accessible. For more, visit the Registrar's Office FERPA information webpage (PDF).
Less Regulated or Unregulated Data
Under the DC data classification scheme, there is a significant amount of data that is considered sensitive, but that is not necessarily as prescriptively regulated as the above examples. DC defines sensitive as data "whose unauthorized disclosure may have serious adverse effect on the DC's reputation, resources, services, or individuals. Data protected under federal or state regulations or due to proprietary, ethical, or privacy considerations will typically be classified as sensitive."
Examples of less regulated or unregulated sensitive data include:
- Social Security Numbers (SSNs);
- attorney-client privileged information;
- High-profile/controversial research (e.g., stem cell, animal) and
- Data related to security plans and security incidents.
Absent other specific prescriptive requirements (e.g., contractual agreements for sponsored research), data stewards and data managers should analyze the risks before collecting, processing or storing any sensitive data in Google.