Google Apps for Education suite, known locally as ScarletApps, is available for students, faculty and staff. ScarletApps provides a convenient array of tools for communicating and sharing information. Contractual terms and conditions have been negotiated that protect the privacy and confidentiality of data associated with the core suite of Google Apps for Education (i.e. Gmail, Calendar, Docs, Sites, Video). While this agreement provides a measure of protection, it's important to remember that privacy and security remain the individual's responsibility and that email, by its nature, is not a secure medium for sharing sensitive information.
The implementation of Google Apps provides an opportunity to remind ourselves of the various policies, guidelines and regulations concerning the handling of private and sensitive data. While these apply to Google, they also apply to email systems in general, as well as, third party and cloud services.
Google Apps services should be used responsibly and in accordance with the University's Acceptable Use Policy for Computing and Information Technology Resources (70.1.1). Google Apps may be used for conducting university activities appropriate to an individual's role at the University provided it is in compliance with the Acceptable Use Policy, the Information Security Classification Policy and the following regulations and data use restrictions.
|Data Category||Permitted on Google/ScarletApps, Email, or 3rd-party services?|
|Export Controlled Data||No|
|Financial Data - (GLBA)||No|
|Health Information (PHI, HIPPA)||No|
|Human Subject Research Data||No|
|Intellectual Property||See Below|
|Payment Card Industry (PCI) Information||No|
|Personally Identifiable Information - New Jersey Identity Theft Prevention Act||No|
|Student Educational Records (FERPA)||Yes|
Export Controlled Information - Guidelines
Export controlled information is not permitted in Rutgers Google Apps (or other cloud services). It can be a federal crime to share export-controlled information with collaborators who are not United States citizens or permanent United States residents. The Office of the Vice President for Research and Economic Development has issued guidelines for export controlled information. Please note that email, by its nature, is an unsecure medium for sharing sensitive information. Just as you wouldn't include your Social Security number or credit card number in an email message, you should not include export controlled data in email. Export controlled data are legally protected and of high consequence.
Financial Data - Gramm-Leach Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) includes provisions to protect consumers personal financial information held by financial institutions. The University is obligated by federal regulation and policy to protect this data. Communication of financial aid or payment of fines may be subject to GLBA requirements. The GLBA working group is currently responsible for managing this effort. http://rusecure.rutgers.edu/content/gramm-leach-bliley-act-glba.
Health Information - Health Insurance Portability Accountability Act (HIPPA) and Protected Health Information (PHI) Data
Email should not be used to store or transmit protected health information (PHI). Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws as well as New Jersey State regulations. All question or concerns regarding HIPAA or protected information should be directed to Office of Student Affairs Compliance.
Human Subject Research Data
Human Subject Research data is a body of personally identifiable data elements collected in the course of research with living human beings. Human Subject Research regulations require adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data to limit access from external third parties, including vendor services administrators. For more information visit Protection of Human Research Subjects, IRB and OHRP for regulatory guidance.
Intellectual Property - Collaboration Use
Google Apps (or other cloud services) users may use collaboration tools to view data, co-edit documents, etc. It is the responsibility of each user to ensure that appropriate sharing controls are used in order to protect Rutgers intellectual property or third party confidential proprietary information provided to the university under contractual terms requiring non-disclosure. Details of intellectual property use are in the Rutgers Copyright Policy.
Payment Card Industry (PCI) Information
The Payment Card Industry Data Security Standard (PCI-DSS) requires entities processing credit card transactions to enforce stringent security requirements for stored credit card information. These requirements apply to third party service providers including Google. Cardholder data is defined as the full magnetic stripe or the Primary Account Number (PAN) plus any of the following: Cardholder name, Expiration date, and Service Code. Visit http://rusecure.rutgers.edu/content/payment-card-industry-pci and Credit Card Acceptance policy
Personally-identifiable Information - New Jersey Identity Theft Prevention Act
The New Jersey Identity Theft Prevention Act is a state law that limits the use and display of certain personal information, and requires Rutgers and other businesses to notify New Jersey consumers if this information has been compromised. “Personal information” is defined as the first name or first initial and last name linked with any one or more of the following data elements: (i) social security number; (ii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account, (iii) State identification card number, (iv) driver's license number, (v) date of birth. According to state law and University policy business units and individuals shall not store or transfer data containing personal information to another unit, private entity or public entity over the network unless it meets a valid business purpose and a secure network transmission is used.
Student Educational Records - The Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal law that protects the privacy of student education records. Student data protected by FERPA is permitted in the Rutgers Google Apps services provided that the information is shared only between the student and those who have a legitimate education-related interest.