skip to primary navigationskip to content
 

Personal data security

Common questions about personal data and privacy with respect to Google accounts.
  1. Is the University passing any of my personal data to Google, and if so, what is being transferred?

    Yes, Information Services (UIS) passes some personal data to Google to enable them to provide you with the Google Apps @ Cambridge service. The information given to Google is that needed to create a Google Apps @ Cambridge account only. Your personal data is passed to Google only once you have accepted the terms and conditions of the service. Only the personal details of those who have chosen to use the service are transferred to Google.

    The actual data we pass to Google is your name (as it appears in the user administration database) and your CRSid. The privacy policy for Google Apps @ Cambridge provides further details about what personal information may be recorded and how it is used.

  2. Where is information I save in Google Apps @ Cambridge stored?

    Any information you save in Google Apps @ Cambridge is stored by Google on Google's servers. It is not stored on any systems operated by UIS.

    Google complies with the US Department of Commerce's 'Safe Harbor' framework and holds Safe Harbor certification. Google has undertaken to retain this certification and to comply with the Safe Harbor principles of notice, choice, onward transfer, access, security and data integrity, and enforcement issued by the US Department of Commerce or a comparable framework for cross-border data transfer agreed with the European Union.

    Under the terms of the contract Google may store and process your data in the United States or any other country in which Google maintains facilities. The University has confirmed with the Information Commissioner that such data transfers are acceptable within the terms of the Data Protection Act (1998) whilst the Safe Harbor framework principles are met.

  3. What can Google do with the data I store in the Google Apps @ Cambridge service?

    The University and Google have a contract that defines what Google may do with any data you store within the Google Apps @ Cambridge service.

    • Intellecual Property: Your retain all rights over any intellectual property you store in Google Apps. Equally, Google retains all intellectual property rights it holds in its provision and delivery of the service.

    • Personal Data: Google may scan and index data you store in Google Apps @ Cambridge for limited purposes in relation to providing you with this service. This may include personal data. The limited purposes set out in the contract are:
      1. To enable you to search for information in stored in your account.
      2. To enable Google to perform spam filtering, virus protection and similar security tasks.
      3. To allow Google to respond to requests for assistance by yourself or Information Services in relation to the provision of this service.
      4. To allow Google to meet its legal obligations (but not including any contractual agreements with third parties).
      5. To otherise enable Google to provide you with the Google Apps @ Cambridge service.

    Google's scanning and indexing is an automated process. Google has given an undertaking that no person will inspect information you have stored on Google's servers unless such inspection is necessary to resolve a request for assistance or to fulfil a legal obligation.

  4. Google provides this service to the University under contract, what exactly did we sign?

    You can read the full text of the University's Google Apps Education Edition agreement with Google

  5. Who owns data sent to Google Apps?

    The contract says (section 7.1):

    Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other's content or any of the other's intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data, and Google owns all Intellectual Property Rights in the Services.


    Our reading of this is that the person who puts data into Google Apps own the intellectual property rights in it.

  6. Will data stored on Google's servers be shared with the U.S. Government?

    The contract says (section 1.10):

    Other provisions of this Agreement notwithstanding, Google may scan or index Customer Data for the following purposes only: … (iv) to allow Google to meet its legal obligations; …


    Personal data can be disclosed when required by law, for example in relation to national security considerations. An analgous situation occurs in England and Wales with similar requests from UK law enforcement agencies which can be answered within the terms of the DPA.

    In all cases, you should satisfy yourself that Google Apps is an appropriate place to store any form of data.

 

Last updated: September 2016