Google: Best Practices for Data Security
Saint Joseph’s University and Google have negotiated contractual terms and conditions that protect the privacy and confidentiality of university faculty, staff, and student data in the SJU Google suite of services. The contract ensures that we continue to own our data; that Google will not share this data; and that Google will not datamine for commercial purposes. Google will keep our data in perpetuity, delete it when requested, and will not display advertisements within the suite of Core Apps.
For an explanation of Google’s privacy and security policies, see:
Google Drive Usage Guidelines
Google Drive is a cloud storage service available to Saint Joseph’s University faculty, staff, and students. Google Drive allows users to store, share, and synchronize files using multiple devices from multiple access points. The Google Drive service is intended to provide faculty, staff, and students with a means to share documents and data among other authorized SJU users and authorized third parties who have a legitimate educational or business interest in them.
Prior to using the Google Drive application, please read the following notice:
You are prohibited from using Google Apps or similar cloud-based services for storing, transmission, or processing of private information. Examples of private information include (but are not limited to):
- Personally-identifiable Information (PII): Personal identifiers, including Social Security, tax identification, driver’s license, and bank account numbers, listed in the Breach of Personal Information Notification Act, as well as other legally confidential data, are protected information.
- Family Educational Rights and Privacy Act (FERPA) Data: The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records.
- Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI): Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws as well as Pennsylvania laws related to medical record confidentiality.
- Intellectual property: SJU G Suite users can invite other Google Apps users (and non-users), both within the university and outside the university, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure that appropriate sharing controls are used in order to protect SJU’s intellectual property or third party confidential proprietary information provided to the university under contractual terms requiring non-disclosure.
- Legal investigations conducted by the university
- Internal audit and compliance data (integrity)
- Credit card transaction data and CVV numbers (pertaining to university purchasing cards)
- SJU passwords
Additionally, email and/or Google chat is not a secure means of sharing sensitive data. None of the above referenced materials should be shared via email or chat.
Continuity of departmental data
When selecting a data storage method, consider continuity of important data during staffing transitions, such as terminations, retirements, promotions, or transfers. Files that are important to the department should be stored on SJU-provided departmental share drives that are backed up and are not dependent on an individual’s relationship with the university. Google Drive is NOT a replacement for SJU-provided department share drives.
When an individual leaves SJU, his/her computing account and the G Suite account is locked and ultimately deleted according to the Email and Data Storage Policy, including files stored on Google Drive, Email, Calendar information, etc. Plan for transferring ownership of files in the event that a staff member leaves.