Sunday, November 16, 2014

Talking points when admin wants to know if Google Apps Edu is secure

NOTE: This post does not constitute legal advice.

Recently, I have been hearing discussions in my district and others about how secure student information is in Google Apps for Education (GAFE). According to Google's security page, "more than 40 million students, teachers and administrators rely on Google Apps for Education". 

More and more GAFE schools are using tools like Google Drive to store student information from assessment scores and student portfolios to school counseling notes and student school health files. Is this ok? Of course you should always discuss these issues with your school legal counsel, but here is information I have found that might help when these discussions take place at your school.

“Google has proven that they’re a secure company. I don’t know of any school district that has passed the same rigor of security testing that Google has.”
Hank Thiele
Assistant Superintendent for Technology & Learning,
Maine Township High School District 207, Illinois

Google's servers are probably more secure than your school servers 

With more than 450 full time engineers, Google has one of the world's most advanced and secure infrastructures. Google Apps and Google Cloud Platform undergo examinations from independent auditors to make sure security and privacy controls are in place and working. You can read more on Google's security page. Additional resources can be found on the Google in Education page.

Is Google Apps for Edu FERPA compliant?

Google states that they comply with FERPA and the US-EU Safe Harbor agreement. Google Apps for Education complies with FERPA and our commitment to do so is included in our agreements. Google is registered with the US-EU Safe Harbor agreement, which helps ensure that our data protection compliance meets European Union standards for educational institutions.

Do you have to worry about HIPPA when storing student school health records on Google?

According to the U.S. Department of health and Human Services and the U. S. Department of Education, "Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. " Additionally, "At the elementary or secondary school level, students’ immunization and other health records that are maintained by a school district or individual school, including a school-operated health clinic, that receives funds under any program administered by the U.S. Department of Education are “education records” subject to FERPA, including health and medical records maintained by a school nurse who is employed by or under contract with a school or school district. "

Don't blame the technology

Inadvertent sharing of private student information could happen in a variety of ways (and I believe it has happened in the past before Google was in schools). Staff should be trained in all of the ways this can happen so they know how to treat student information in any situation.  Make sure school staff know how to keep student information private whether digital or hard copy and regardless if it is stored on Google's servers or in a file cabinet.

Tip of the day: Google Drive

Did you know you you can prevent others from downloading non native files in Google? When you upload PDF's, MS Word or other files you can select the file, open the details tab and then select the option to prevent users from downloading the file.  

Click the 'i' to open the details tab

When starting to use GAFE be sure your domain administrator sets the default sharing for docs to 'private' so that users have to manually share files. This can prevent sharing accidents.