(D111) Google Apps for Education Acceptable Use and Data Security Policy
This policy applies to users of Google Apps for Education at SUNY Polytechnic Institute. Guidelines adopted by a division or department to meet specific academic or administrative needs must comply with this policy and with policies on the use of SUNY Polytechnic Institute information technology resources established by SUNY Polytechnic Institute and the Information Technology departments that include, but are not limited to, the following:
- Appropriate Use of Information Technology
- Access to Institutional Data
- Classification and Use of Information Assets
- Workstation Security
- Credential Security
- Electronic Mail (Email) Retention
- Personnel Security
Google Apps for Education is provided at SUNY Polytechnic Institute to support its education, research, public service and health care missions by offering a robust communication and collaboration platform for students, faculty, staff, alumni, and retirees to interact with one another and share information and knowledge. This suite of applications includes Gmail, Google Calendar, Google Docs/Drive, Google Sites, Google Talk, and Google Groups. Use of Google's suite of services is a privilege. Accordingly, all users of Google Apps for Education at the University are responsible for the proper use and protection of data stored in the system. In addition to the above-stated SUNY Polytechnic Institute policies, use of the Google Apps services is also governed by the Google Apps Terms of Service. Anyone in the SUNY Polytechnic Institute community utilizing Google Apps for Education services must agree and adhere to the Google Terms of Service that will be presented for review the first time they attempt to log into their account.
- Anyone in the SUNY Polytechnic Institute community utilizing Google Apps for Education services must be aware that their data may be stored in data centers outside the borders of the United States.
- As stated in the SUNY Polytechnic Institute Appropriate Use of Information Technology policy, anyone in the SUNY Polytechnic Institute community utilizing Google Apps for Education services acknowledges that SUNY Polytechnic Institute has the ability to monitor, use, or disclose their data, and that Google provides SUNY Polytechnic Institute the ability to do so for system management and security purposes.
- Anyone in the SUNY Polytechnic Institute community utilizing Google Apps for Education services must acknowledge that Google can terminate their account if they fail to abide by the Google Terms of Service.
- Anyone in the SUNY Polytechnic Institute community utilizing Google Apps for Education must agree that they will not use the services for gambling, pornography, or for running a business.
- Anyone in the SUNY Polytechnic Institute community utilizing Google Apps for Education services must acknowledge and abide by the Google Sites Program Policies
- Anyone in the SUNY Polytechnic Institute community utilizing Google Apps for Education services is made aware of the Google Acceptable Use Policy that states you agree not to use the Google services provided to you:
- to generate or facilitate unsolicited bulk commercial email;
- to violate, or encourage the violation of, the legal rights of others;
- for any unlawful, invasive, infringing, defamatory, or fraudulent purpose;
- to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature;
- to interfere with the use of the Google Apps services, or the equipment used to provide the services, by customers, authorized resellers, or other authorized users;
- to alter, disable, interfere with or circumvent any aspect of the services;
- to test or reverse-engineer the services in order to find limitations, vulnerabilities or evade filtering capabilities;
- to use the services, or a component of the services, in a manner not authorized by Google
Failure to comply may result in suspension or termination, or both, of the services.
A full copy of the Google Apps Acceptable Use Policy may be found at http://www.google.com/apps/intl/en/terms/use_policy.
Appropriate Use of Private and Sensitive Data
SUNY Polytechnic Institute, SUNY, and Google have negotiated contractual terms and conditions that protect the privacy and confidentiality of SUNY Polytechnic Institute student, faculty, staff, alumni and retiree data in the SUNY Polytechnic Institute Google Apps suite of services. As a result, the use of Google Apps at SUNY Polytechnic Institute to conduct activities may be subject to the following restrictions for certain types of data:
Family Educational Rights and Privacy Act (FERPA) Data
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Student data protected by FERPA is permitted in the SUNY Polytechnic Institute Google Apps for Education suite of services, provided that the information is shared only between the student and those who have a legitimate education-related interest as defined by SUNY Polytechnic Institute’s Student Records policy. Student data should never be made publicly accessible.
Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI) Data
Email, by its nature, is not a secure medium for sharing sensitive information, and Google Apps for Education should not be used to store or transmit protected health information (PHI). Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws as well as New York State regulations.
Protected health information should remain in a record system designed to contain health information and should be de-identified (stripped of all 18 HIPAA identifiers) before being shared electronically. If de-identifying the information is not possible, appropriate methods for securely transmitting the information include:
- Use of an integrated messaging system associated with a legally certified electronic health record system.
- Directory file sharing within a professionally managed and supported networked environment such as the SUNY Polytechnic Institute’s "Active Directory" service.
- Use of a "dropbox-like" technology such as SUNY Polytechnic Institute Serv-U File Server.
Additional obligations to remember when sharing PHI:
- Limit the amount of information to the minimum necessary that is required
- Misdirected information or incidents involving the inappropriate use of protected health information must be reported immediately. Misdirected health information must be included in all accounting of disclosures.
- Ensure that the recipient of the information is legally authorized to receive the information.
All questions or concerns regarding HIPAA or protected health information should be directed to:
Information Security Officer
SUNY Polytechnic Institute
Export Controlled Information
Export controlled technical data or software is not permitted in SUNY Polytechnic Institute’s Google Apps for Education suite of services.
It can be a federal crime to share export-controlled technical data or software with others who are (a) not United States citizens or permanent United States residents, whether abroad or in the United States or (b) on a denied parties list.
If you think you have export-controlled restrictions placed on the technical data or software that you are sharing and/or receiving, please contact the Information Security Officer.
Please note that email, by its nature, is an insecure medium for sharing sensitive information. Just as you would not include your Social Security number or credit card number in an email message, you should not include export-controlled technical data or software in email. The export of controlled technical data, software, or items may result in fines and penalties to both the individual and the institution.
Social Security Numbers, Driver's License Numbers, Financial Account/Credit Card Numbers
SUNY Polytechnic Institute Google Apps should not be used to store, maintain or transmit Social Security numbers, driver's license numbers, financial account or credit card numbers. Such data should be stored only on systems approved for such use.
Intellectual Property Rights and Participation of External Users in Google Docs/Drive
Google Apps for Education users can invite other Google Apps users, both within and outside SUNY Polytechnic Institute, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure appropriate sharing controls are used in order to protect intellectual property placed in Google Apps for SUNY Polytechnic Institute, as well as to prevent accidental or undesirable file sharing. Authorized users are subject to the following additional requirements:
- Maintain the integrity of data files, including performing regular back-ups. Do not rely on Google or SUNY Polytechnic Institute to back up data. SUNY Polytechnic Institute and the IT Department are not responsible for lost data.
- Exercise caution in sharing documents with non-SUNY Polytechnic Institute users. Under SUNY Polytechnic Institute’s Terms of Service, Google asserts no ownership or use rights. Non- SUNY Polytechnic Institute users may be subject to different Terms of Service.
- Adhere to SUNY Polytechnic Institute policies regarding retention of course-related materials, where appropriate.
- Remove content prior to leaving SUNY Polytechnic Institute. User accounts will be purged, according to existing campus procedures. Once an account is purged, users will no longer have access to content.
- If you are employed by SUNY Polytechnic Institute, any documents you save or publish in SUNY Polytechnic Institute’s Google Docs/Drive may be subject to the NYS Freedom of Information Law(FOIL).
- Any document you save or publish in SUNY Polytechnic Institute Google Docs/Drive may be subject to privacy laws, such as FERPA and HIPAA.
If SUNY Polytechnic Institute receives a credible report that a violation has occurred, or if, in the course of managing the service, discovers evidence of a violation, then the matter will be referred for investigation, University disciplinary action, and/or criminal prosecution. Complaints that specific material violates the law or SUNY Polytechnic Institute policy should be reported to the Chief Information Officer.
Changes to this Policy
SUNY Polytechnic Institute reserves the right to change this policy at any time. Users should check this document periodically to ensure they remain in compliance. SUNY Polytechnic Institute will attempt to post the most up-to-date version of the policy on the SUNY Polytechnic Institute website and may, in its discretion, provide users with additional notice of significant changes. A user's continued use of the service after any changes are published binds the user to the revised policy.
Policy adopted from StonyBrook.edu as of March 1, 2017