Google: Apps, Grades, Security and Sensitive Information

Circle of icons related to Google mailThe following is a memo sent to Brown faculty and staff from Michael Pickett, Vice President and Chief Information Officer, on Nov. 29.  It is reprinted here to complement the other Google-related content in this issue of the newsletter.

The 2010/2011 academic year is the first to utilize Google Apps for Education (GAE) campus wide. GAE has brought a powerful and collaborative set of tools to Brown, including an easy way to store and share documents and data through Google Docs.

Our use of these new and evolving tools has raised questions about best practices, proper use, and security. Specifically, we have received questions whether it is appropriate to use Google Docs for storing and sharing grades or information like tenure committee data.

There are two essential points to keep in mind in answering this question.

  1. The Google Apps we use at Brown is NOT the commercial Google platform. A review by Brown’s Information Security Group as well as the security experts in corporations around the world have found that Google Apps is a secure set of tools for most daily work.
  2. Like all technology, Google Apps is only as secure as the people and processes behind it. Information stored in Google is secure, just as is information stored in locked file cabinets. When information is shared—whether in print or electronic form—care must be taken.

Appropriate and inappropriate uses of Google Apps:

  1. As long as appropriate care is taken in sharing information (see below), Google Apps may be used to store and share information such as grades. In general, Google Apps is appropriate for most Brown information including Family Educational Rights and Privacy Act (FERPA) protected data and other information that we are not allowed to share broadly.
    Historically, grades and other information about students have been shared between the faculty and TAs via email, spreadsheets, and hard copy documents. All of those methods have security concerns and deficiencies. The use of a Google Doc for these purposes has advantages over previously used methods. Remember that only graduate TAs should be granted access to view student grades and that evaluation and grading is the exclusive responsibility of those with a formal instructional appointment. Furthermore, class roster information that includes identifying information about students should never be “published to the web,” since FERPA guidelines prohibit release of such information outside the confines of the institution.
  2. State and federal laws and policies control some types of information for which Google may not currently be certified as appropriate. Examples of these types of controlled information include social security numbers as well as federally protected personal health data which falls under Health Insurance Portability and Accountability (HIPAA) regulations. A final example of data that would be inappropriate for GAE would be data that falls under the federal International Traffic in Arms (ITAR) regulations.
  3. Private documents: The security of the Google Apps platform is more than sufficient for private documents, such as tenure committee discussions, personal papers, class prep, and research notes. Simply bear in mind the precautions listed below when sharing the document(s) with others. CIS and the University stand behind the security and use of Google Apps, and we encourage its use for most information except where that information is incompatible with GAE due to federal, state or policy regulation. Policies and regulations change, so be cautious; if you are concerned or have questions, feel free to ask for guidance.

Guidelines for sharing data securely:

  • Check the email address: Be sure that you are choosing the proper email address, as there are many similar and duplicate names in our directory. It is also possible to share the document with any individual outside of the organization by simply entering an email address. In any of these scenarios it is essential that you are 100% certain that the entry made is that of the colleague that you intend to share the data with, and that they will use it responsibly.
  • Check the scope of distribution: choose wisely as to whether you want those you are sharing a document with to have only “view” access, or the ability to edit the document. When you provide someone the ability to “can edit”, they also have the ability to share it with others. Also, be aware of the option to “publish to the web”, and recognize whether the info you are publishing is appropriate for that view.
  • Additional information and frequently asked questions on sharing Google docs can be found on Brown’s Google Support site at https://sites.google.com/a/brown.edu/google-migration-project-site/how-to/google-docs-best-practices

Finally, since the Brown community has been using GAE for several months now, we are moving to the stage where community members are taking advantage of the collaborative tools in the Google Apps suite. In addition to Google docs and sites, we have seen widespread usage of Google forms, chat, video chat, and Google groups. CIS continues to develop training offerings to help the community take advantage of the collaborative tools in GAE. Please visit http://training.brown.edu/index.php?campaign=55 for an updated list of all training currently offered for GoogleApps@Brown.

Brown’s move to GAE has been nationally recognized for its vision and implementation, and it provides the university with a robust and collaborative platform for communication and storage. Additional GAE support and Frequently Asked Questions can be found on the CIS Google Support page, found at https://sites.google.com/a/brown.edu/google-migration-project-site.

Posted in Safe Computing, Winter 2011 Edition | Comments Off