Security and Privacy in the U-M Google Environment

U-M Google is a cloud computing service that provides a large selection of collaboration tools to U-M users. Find more specifics about U-M's approach to the cloud and data security in Safely Use the Cloud.

For information about Google's data security and privacy, see:

U-M retains ownership of its data, and Google may only process or otherwise use UMICH account data as required for the purposes of providing services, and performing its obligations under the agreement. This includes processes for preventing spam, and ensuring the technical functioning of Google's network (including detecting, preventing or otherwise addressing fraud, security or technical issues).

Core Services vs. Additional Services

U-M Google Core Services are covered by the university's Google Apps for Education agreement with Google, and provide a secure environment for maintaining or sharing the university's sensitive unregulated data, as well as some kinds of sensitive regulated data. U-M Google Additional Services are not covered by this agreement. To learn which U-M Google Services are Core Services and which are Additional, see the U-M Google List of Services.

The distinction is important because the Core Services have certain privacy protections that are not found when using the Additional Services, which are not protected by U-M's agreement and may be subject to individualized data mining and advertising.

Almost all of the information found in Google Safety Center applies to U-M Google Core services. However, there are some important differences between Google Apps for a general consumer audience and U-M Google, the enterprise version under contract with U-M. For example, account holders using U-M Google Core services will not see any advertising. In addition, two-step verification is not currently available in the U-M Google environment.

Google's Privacy Policy and Terms of Service do not affect the contractual agreement between the University of Michigan and Google, with respect to the Core Services, but they do apply to the Additional Services, as they are listed in the U-M Google List of Services. The Terms of Service state that if a user is signed in to one of the Additional (non-Core) services, Google may combine information that the user provides in one non-Core service with information provided in another non-Core service. New users will be presented with the Terms of Service acceptance page the first time they log in to their U-M Google account. If you do not want to accept the Terms of Service, which apply just to Additional Services, please contact the ITS Service Center to be set up with an account that does not have Additional Services activated.

Sensitive University Data and U-M Google

U-M is responsible for comlying with all regulatory requirements, whether it stores its data locally or in the cloud. While U-M Google is appropriate for most communication and collaboration, the sensitivity and regulatory status of information and data must be carefully considered before storing data in the U-M Google environment.

Faculty, students, researchers, and staff need to assess whether federal and state laws, contractual obligations, and/or grant restrictions limit the ability to maintain institutional or research data in U-M Google Apps. You can see at a glance whether it is is permissible or not to store or share a specific data type in a U-M or external vendor cloud services using the Sensitive Data Guide To IT Services.

Users who work with certain types of regulated data do not receive U-M Google Mail and Calendar. They do have access to U-M Google Drive and other collaboration tools, but must always be cognizant of the Responsible Use of Information Resources Policy (SPG601.07) when using those tools.

Users with both and email accounts may not forward email from their to their account to ensure that HIPAA data remains in a compliant environment.

Google stores data on its secure servers, which may be located outside the U.S. or within the U.S. and accessible to foreign nationals. For this reason, U-M users working with regulated export-controlled data that must be housed in the U.S. and managed by U.S. citizens may not use some U-M Google Apps, such as Mail and Calendar. Their use of other Google Apps must be in accordance with the Responsible Use Policy (SPG 601.07).

University Policy and U-M Google

Under the terms of U-M's agreement with Google, U-M continues to own its own data, so consequently its security and privacy policies continue to apply for members of the U-M campus community using U-M Google Core Services. For example, information in U-M Google is subject to the same university rules, obligations, and procedures related to the Freedom of Information Act (FOIA) and eDiscovery, as is university information stored elsewhere. For more about FOIA, visit the Office of the Vice President & General Counsel's website and the FOIA Office.)

Use of U-M Google is also subject to the university's General Information Technology Policies and Student Information Technology Policies.

Google's Commitment to Privacy

Google was one of the first cloud providers to invite an independent auditor to show that the privacy practices for Google Apps for Work and Google Apps for Education comply with the latest ISO/IEC 27018:2014 privacy standards (see Google Security Audits and Certifications). These confirm for example, that Google does not use customer data from these apps for advertising.

Passwords and U-M Google

When you log in to your U-M Google account via the web, you log in using U-M's Weblogin service. That service will then pass on assurance of your identity and authorization to Google without passing on your password. For details, see Signing In and Out of Your U-M Google Account Via the Web.

When you log in to your U-M Google account using a desktop mail client, such as Outlook or Apple Mail, or from a mobile device, such as a smartphone, you log in directly to Google. In this case, Google needs to have an encrypted copy of your UMICH password so you can log in. U-M transfers your password to Google in encrypted form over a secure connection for this purpose. For details, see UMICH Password Hub.