Google Privacy and Security
The Defiance College-Google Apps for Education (Google) agreement generally provides
for the privacy and security of Defiance College (DC) data in the DC Google suite
of services. The Google agreement provides the following assurances to faculty, staff,
students, and alumni:
- Google does not own your data
- Google secures your data
- Google retains the data only as long as you want them to
- Google deletes the data when you ask them to
Generally, you may use Google to conduct activities that align with your role at the
College, so long as you follow DC's Computer Policy, and adhere to the guidance for Google and Regulated/Sensitive Data.
For more, visit the Google Apps for Education Security & Privacy webpage.
Google and Regulated/Sensitive Data
- Export Controlled Research
Export controlled research includes information that is regulated for reasons of national
security, foreign policy, anti-terrorism or non-proliferation. Encompassing laws,
statutes, or regulatory agencies include International Traffic in Arms Regulations
(ITAR), Export Administration Regulations (EAR), and the Office of Foreign Assets
Control Regulations (OFAC). Specifically, these requirements include restricting research
data access to U.S. citizens and licensed foreign nationals, and storing it within
Because Google has an internationally distributed storage environment and unlicensed
foreign nationals supporting the systems, DC Faculty and Researchers should not collect,
process, share or store export controlled research data in the Google environment.
- Federal Information Security Management Act (FISMA)
FISMA requires federal agencies to develop, document, and implement security programs
for IT systems that support the agency, including systems that are provided or managed
by another entity. One of the FISMA requirements is that the data is stored within
Because Google has an internationally distributed storage environment, DC faculty
and researchers should not collect, process, share or store FISMA data in the Google
- Electronic Protected Health Information (ePHI)
ePHI is individually identifiable health information, in electronic form, as defined
by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA
also requires a contractual arrangement (typically known as a Business Associate Agreement)
be made with service providers that perform functions or activities that involve the
use or disclosure of ePHI on behalf of a HIPAA-covered entity, or that provide services
to such an entity.
The Google Apps for Education Agreement does not include a specific business associate
agreement or incorporate such language into the Agreement. Therefore, ePHI should
not be collected, processed, shared or stored in the Google environment.
- Payment Card Data
The payment card industry created the data security standards (PCI-DSS) for organizations
that process, store or transmit cardholder data. The DC Business Office has overall
responsibility for the oversight of payment card services, and is the owner of PCI
compliance for the college.
The Business Office mandates that users must not store cardholder data on any college
system without approval. By extension, this means that Google should not be used to
collect, process or store payment card data.
- Gramm Leach Bliley Act (GLBA)
GLBA requires financial institutions, including higher education institutions to safeguard
sensitive data. DC complies with the security of customer data as outlined in the
Gramm Leach Bliley Act.
Similar to the ePHI analysis, because Google will not agree to a GLBA specific non-disclosure
and security safeguard provision, it should not be used to collect, process or store
- Family Educational Rights and Privacy Act (FERPA)
Under the Google Apps for Education agreement, Google is deemed a "school official"
and will comply with its obligations under FERPA. Therefore, FERPA data may be collected,
processed or stored in the Google environment.
However, DC faculty and staff are reminded of their own obligations to protect FERPA
data and only share such data with the student and those who have a legitimate education-related
interest. Student data should never be made publicly accessible.
For more, visit the Registrar's Office FERPA information webpage.
Less Regulated or Unregulated Data
Under the DC data classification scheme, there is a significant amount of data that
is considered sensitive, but that is not necessarily as prescriptively regulated as
the above examples. DC defines sensitive as data "whose unauthorized disclosure may
have serious adverse effect on the DC's reputation, resources, services, or individuals.
Data protected under federal or state regulations or due to proprietary, ethical,
or privacy considerations will typically be classified as sensitive."
Examples of less regulated or unregulated sensitive data include:
- Social Security Numbers (SSNs);
- attorney-client privileged information;
- High-profile/controversial research (e.g., stem cell, animal) and
- Data related to security plans and security incidents.
Absent other specific prescriptive requirements (e.g., contractual agreements for
sponsored research), data stewards and data managers should analyze the risks before
collecting, processing or storing any sensitive data in Google.