Home Security and Privacy in the U-M Google Environment
Security and Privacy in the U-M Google Environment
It is the policy of U-M to take all appropriate and desirable steps to protect the confidentiality, integrity, security, and privacy of both personal and institutional data maintained within the university environment. Under the terms of U-M's agreement with Google, U-M continues to own its own data, so consequently its security and privacy policies continue to apply for members of the U-M campus community using Google core services.
Google is a cloud computing service. U-M, like other large institutions, is increasingly moving into the cloud. Find more specifics about U-M'S approach to security in the cloud in Cloud Computing and Information Security.
Google secures your data and provides for personal privacy. Google has its own very detailed security and privacy standards and guidance that can be accessed below:
Google is SSAE-16 certified and periodically updates its SSAE report, which describes its security practices. You can read more about these practices in Google's 2011 Security Whitepaper: Google Apps Messaging and Collaboration Products.
Not all security and privacy practices or functionality developed or offered by Google are included in the U-M contract. For example:
U-M is responsible for all regulatory requirements even when it moves its data into the cloud. While Google is appropriate for most communication and collaboration, the sensitivity and regulatory status of information and data must be carefully considered before storing data in the Google environment.
Users who work with certain types of regulated data will not have their email or calendars migrated to Google. They will have access to Google Docs and other collaboration tools, but must always be cognizant of the Proper Use Policy and Sensitive Regulated Data Standard when using those tools.
Faculty, researchers, and staff (including student employees and students conducting research) need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to maintain institutional or research data in Google Apps.
The Office of the CIO has issued the following standard that establishes mandatory expectations for complying with statutory and regulatory requirements related to protecting sensitive regulated data:
To assist in making this assessment, faculty and staff can see at a glance whether a specific data type is permissible or not to be maintained in a U-M or external vendor cloud service by viewing these tables.
Google Drive is considered a "core service" and is covered by the U-M agreement with Google. This means that it will be covered by the same terms as other U-M Core Services.
For more information, see Google's FAQ page regarding Security and Privacy.
Per the terms of our agreement (which covers Core Services only), Google may only process or otherwise use UMICH account data as required for the purpose of providing services and performing its obligations under the agreement. This includes processes for preventing spam and ensuring the technical functioning of Google's network (including detecting, preventing or otherwise addressing fraud, security or technical issues). Note that our agreement with Google specifically prohibits advertising within the U-M domain for the Core Services. The university is neither selling data nor profiting from this arrangement.
Per the terms of the Google Apps agreement, U-M account holders using Google Apps within the U-M domain will not see advertising when using the Core Services.
Google will store data on its secure servers, which could be located outside the U.S. or within the U.S. accessible to foreign nationals. For this reason, U-M users working with regulated export-controlled data that must be housed in the U.S. and managed by U.S. citizens will not be able to use some Google Apps such as email and calendar. Their use of other Google Apps must be in accordance with the Proper Use Policy and the Information Technology Standard Sensitive Regulated Data: Permitted and Restricted Uses.
How will the security of my password be protected when I log in to the Google Apps U-M domain? Will Google have my UMICH password?
When you log in to your Google Apps UMICH account via the web, you will actually log in to U-M's weblogin service. That service will then pass on assurance of your identity and authorization to Google without passing on your password. For details, see Signing In and Out of Your Google Apps UMICH Account Via the Web (S4389).
When you log in to your Google Apps UMICH account using a desktop mail client, such as Outlook or Apple Mail, or from a mobile device, you will log in directly to Google. In this case, Google needs to have an encrypted copy of your UMICH password so you can log in. U-M transfers your password to Google in encrypted form over a secure connection for this purpose. For details, see UMICH Password Hub.
Yes, the move to Google for email services does not alter the university's rules, obligations, and procedures related to FOIA. For more information visit the Office of the General Counsel's website and the FOIA Office.
It won't. Your University of Michigan Google account is managed separately from your personal Google account. However, you will be able to integrate some functions if you choose. For example, you can forward mail and share calendars between accounts.
For dual med.umich.edu and umich.edu account holders only: How will the Google migration of my umich.edu email account affect my med.umich email account as far as mail forwarding and rules?
Information and Infrastructure Assurance offers introductory answers to frequently asked questions about what categories of sensitive regulated data can or cannot be maintained in cloud computing environments generally and the U-M Google environment specifically.
The FAQ will be regularly updated to include new recurring questions asked by U-M faculty and staff. Contact us to submit a question you would like to see answered on this FAQ.
Last modified: January 17 2013.