Privacy & Data Security Best Practices
In December 2012, Simmons College Technology began migrating faculty and staff to Google Apps for Education. This page explains security considerations and best practices for private and sensitive information as it relates to Google Apps for Education.
Data Security & Best Practices for Sensitive and Private Data
Simmons College has established a contract with Google that protects the privacy and security of the information that students, faculty, and staff store in Google’s Core Apps. These “Core Apps” include Google Mail (Gmail), Google Contacts Google Calendar, Google Docs/Drive, Google Talk (Chat), Google Groups, Google Sites, and Google Videos. This contract does not extend to cover Google’s suite of “Consumer Apps”, which include YouTube, Blogger, Google+, Maps, Reader, Voice, Translate, Picasa, Analytics and more. Click here for a complete list of Google’s Consumer Apps.
The contract that has been established between Simmons College and Google ensures that we (Simmons) continue to own our data. Google will not share this data, will not datamine for commercial purposes, will keep our data in perpetuity, and will not display advertisements within the suite of Core Apps.
Best practices for Google Apps for Education should be in line with that of Simmons’ Acceptable Use Policy.
Family Educational Rights and Privacy Act (FERPA) Data
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Student data that is afforded protection under FERPA is permitted in Google Apps for Education at Simmons, so long as that information is shared only between the student and staff or faculty with a legitimate educational interest in the information, and that only the information that is legitimately needed in a given situation is shared. Student data should never be made publicly accessible.
Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI) Data
Neither email or Google Apps should be used to store or transmit protected health information (PHI). Protected health information should remain in a system designed to contain health information, such as a directory file sharing system within a professionally managed and supported network environment such as the Simmons “Active Directory” service (i.e. the departmental “G:” drive). If protected health information needs to be electronically transferred, appropriate methods for securely transmitting the information include the Simmons Secure File Transfer service (http://xfer.simmons.edu) or integrated messaging systems associated with a legally certified electronic health record systems.
Whenever sharing protected health information, remember to limit the amount of information to the minimum necessary that is required, and ensure that the recipient of the information is legally authorized to receive the information.
Intellectual Property Rights and Participation of External Users
Google Apps users can invite other Google Apps users, both within the Simmons and outside of Simmons, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure appropriate sharing controls are used in order to protect intellectual property stored within and shared through Google Apps at Simmons College, as well as to prevent accidental or undesirable file sharing. Please note that Simmons will, from time to time, monitor the sharing of documents with individuals outside the college and may take action on documents that are inappropriately shared. These actions may include removal of the document or modification of its sharing rights.
For further questions regarding security or best practices concerning Google Apps at Simmons College, please contact Simmons Technology at 617-521-2222 or by going to http://servicedesk.simmons.edu/getsupport/general.