Concordia University of Edmonton has chosen Google Apps for Education as the platform for messaging and collaboration for faculty and staff as well as students. Any time a new software platform is evaluated and adopted, it is worth evaluating it from a privacy and security standpoint. This page serves to convey some of the results of the evaluation that IT Services has done for Google Apps.
Concordia University of Edmonton considers Google Apps to be an important piece of the IT services that we offer to faculty and staff. With respect to the security considerations, Google Apps should be treated very much like any other IT service. Concordia University of Edmonton retains ownership of the data and faculty and staff can feel confident using it. As with all IT services, however, faculty and staff must inform themselves of any legal and regulatory requirements of the sensitive information they handle and the particular requirements around retaining and storing it.
Privacy & Confidentiality
It must be understood, that standard e-mail is inherently non-confidential. That is, one should not expect that information revealed through e-mail will absolutely remain free from a broader disclosure. Regardless of whether the e-mail system is hosted on a system on-campus (in Exchange, for example) or on the Internet (with Google or elsewhere), there are four primary risks to email confidentiality:
- Security on the sending system: The device you use for sending messages may be always unlocked or even infected with malware. This risk can be mitigated by proper device security, regular updates, and malware protection.
- Security in transit/delivery: Email messages sent or received are transmitted in an unsecure manner over the Internet. This means that there is always the potential for someone other than the sender or intended recipient to view the contents of the message. This can be mitigated to a large extent by email encryption.
- Security in reading/retrieving: When a message is accessed, it is transmitted between the email server and the client. As with delivery, there is the potential for someone other than the sender or intended recipient to view the contents of the message as it is transmitted between systems. Google uses SSL encryption, much like banks do, to secure this communication.
- Security on the receiving system: The recipient could receive the message on any sort of device, distribute it, print it, etc. This is also the hardest risk to mitigate.
Because of the above risks, one must be prudent in how they use e-mail and what information is disclosed through that medium.
Drive / Documents
Google Drive (formerly Google Docs) has its own privacy and confidentiality considerations. Broadly speaking, it should be treated like other file storage services available at Concordia University of Edmonton. That said, the barriers to inadvertent sharing of sensitive or privileged information are greatly removed. So there must be additional caution taken around the proper sharing and distributing of information. Be sure to regularly review the sharing settings of Google Drive files/documents.
Frequently Asked Questions
How safe is it to store Concordia University of Edmonton data (e-mail, online files, etc) with Google?
Google is at the leading edge of providing secure yet accessible email, calendar, and storage services. Google uses industry-recognized security measures such as SSL encryption for web traffic, data center security certifications and audits, and regular monitoring.
You can feel confident about the security measures in place with Google, just as you would with Concordia University of University’s own network systems. This does not negate, but rather reinforces the need to be mindful of the sensitivity of the data you are storing or distributing.
What should I do to keep Concordia data secure?
Every employee has the responsibility to handle information appropriately, whether on Google Apps or not. Here are some important steps that ought to be taken:
- Store data in appropriate locations. Some data falls under legal and regulatory requirements. Faculty and staff must understand those requirements and comply with them as they handle that data.
- Secure access devices. The devices you use to access data can provide a risk if they are not well-protected by screen locking, PIN numbers, robust passwords, remote wipe for mobile devices, etc.
By hosting with Google, are we giving up ownership of our data?
No. The contract in place between Google and Concordia University of Edmonton clearly identifies the university as retaining all ownership of our data.
What about data mining?
Unlike many other online services, no data stored on Google Apps for Education is mined by Google.
What risk is there that the Canadian or US government agencies will have access to my Concordia data hosted with Google?
A variety of laws allow government agencies to investigate regulatory violations or criminal activity. Google must comply with the laws of the countries in which it operates. Though rare, they do receive legal requests for information. Google states, “Respect for the privacy and security of data you store with Google underpins our approach to complying with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Google’s policies. Generally speaking, for us to comply, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we’ll seek to narrow it. We notify users about legal demands when appropriate, unless prohibited by law or court order.” (From: http://www.google.com/transparencyreport/userdatarequests/legalprocess/ )
It is worth noting that this is the very same approach that would be taken if Concordia University of Edmonton received the same request directly from a Canadian government agency.
What other post-secondary schools have moved to Google Apps for Education?
Many high-profile schools in Canada, United States, and worldwide are now using Google Apps for Education. Google publishes case studies here: http://www.google.com/enterprise/apps/education/customers.html
Where can I read the Google Apps for Education contract terms?
Where can I read more about Google’s approach to security?