Home Protect University Data University Data in the Cloud Security and Privacy in the M+Google Environment
Security and Privacy in the M+Google Environment
M+Google is a cloud computing service that provides a large selection of collaboration tools to U-M users. Find more specifics about U-M's approach to security in the cloud in Cloud Computing and Information Security.
For information about Google's data security and privacy, see
U-M owns its own data, and Google may process or otherwise use UMICH account data only as required for the purposes of providing services and performing its obligations under the agreement. This includes processes for preventing spam and ensuring the technical functioning of Google's network (including detecting, preventing or otherwise addressing fraud, security or technical issues).
Core Services vs. Additional Services
M+Google Core Services are covered by the university's Google Apps for Education agreement with Google and provide a secure environment for maintaining or sharing the university's sensitive unregulated data, as well as some kinds of sensitive regulated data. M+Google Additional Services are not covered by this agreement. To learn which M+Google Services are Core Services and which are Additional, see the M+Google List of Services.
The distinction is important because the Core Services have certain privacy protections that are not found when using the Additional Services, which are not protected by U-M's agreement and may be subject to individualized data mining and advertising.
Almost all of the information found in Google Safety Center applies to M+Google Core services. However, there are some important differences between Google Apps for a general consumer audience and M+Google, the enterprise version under contract with U-M. For example, account holders using M+Google Core services will not see any advertising. In addition, two-step verification is not currently available in the M+Google environment.
Sensitive University Data and M+Google
U-M is responsible for all regulatory requirements, whether it stores its data locally or in the cloud. While M+Google is appropriate for most communication and collaboration, the sensitivity and regulatory status of information and data must be carefully considered before storing data in the M+Google environment.
Faculty, students, researchers, and staff need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to maintain institutional or research data in M+Google Apps. You can see at a glance whether it is is permissible or not to store or share a specific data type in a U-M or external vendor cloud services using the Sensitive Data Guide To IT Services.
Users who work with certain types of regulated data do not receive M+Google Mail and Calendar. They do have access to M+Google Drive and other collaboration tools, but must always be cognizant of the Proper Use Policy and Sensitive Regulated Data Standard when using those tools.
Users with both med.umich.edu and umich.edu email accounts may not forward email from their med.umich.edu to their umich.edu account to ensure that HIPAA data remains in a compliant environment.
Google stores data on its secure servers, which may be located outside the U.S. or within the U.S. and accessible to foreign nationals. For this reason, U-M users working with regulated export-controlled data that must be housed in the U.S. and managed by U.S. citizens may not use some M+Google Apps, such as Mail and Calendar. Their use of other Google Apps must be in accordance with the Proper Use Policy and guidelines for implementing it and the Information Technology Standard Sensitive Regulated Data: Permitted and Restricted Uses.
University Policy and M+Google
Under the terms of U-M's agreement with Google, U-M continues to own its own data, so consequently its security and privacy policies continue to apply for members of the U-M campus community using M+Google Core Services. For example, information in M+Google is subject to the same university rules, obligations, and procedures related to FOIA as is university information stored elsewhere. For more about FOIA, visit the Office of the Vice President & General Counsel's website and the FOIA Office.)
Google's Commitment to Privacy
Google was one of the first cloud providers to invite an independent auditor to show that the privacy practices for Google Apps for Work and Google Apps for Education comply with the latest ISO/IEC 27018:2014 privacy standards (see Google Security Audits and Certifications). These confirm for example, that Google does not use customer data from these apps for advertising.
Passwords and M+Google
When you log in to your M+Google account via the web, you log in using U-M's Weblogin service. That service will then pass on assurance of your identity and authorization to Google without passing on your password. For details, see Signing In and Out of Your M+Google Account Via the Web (S4389).
When you log in to your M+Google account using a desktop mail client, such as Outlook or Apple Mail, or from a mobile device, such as a smartphone, you log in directly to Google. In this case, Google needs to have an encrypted copy of your UMICH password so you can log in. U-M transfers your password to Google in encrypted form over a secure connection for this purpose. For details, see UMICH Password Hub.