Issued By:

Office of the Chief Information Officer

Approved:

May 2012

Effective:

July 2, 2012

Application

This policy applies to users of Google Apps for Education at Stony Brook University. Guidelines adopted by a division or department to meet specific academic or administrative needs must comply with this policy and with policies on the use of Stony Brook University information technology resources established by the University and the Division of Information Technology that include, but are not limited to, the following:

• Appropriate Use of Information Technology (P109)
• Access to Institutional Data (D100)
• Classification and Use of Information Assets (D101)
• Workstation Security (D104)
• Credential Security (D105)
• E-Mail (D106)
• Personnel Security Policy (D109)
• DoIT Policies

Purpose

Google Apps for Education is provided at Stony Brook University to support its education, research, public service and health care missions by offering a robust communication and collaboration platform for students, faculty, staff, alumni, and retirees to interact with one another and share information and knowledge. This suite of applications includes Gmail, Google Calendar, Google Docs/Drive, Google Sites, Google Talk, and Google Groups. Due to changes in Stony Brook's email services, many community members will now have their stonybrook.edu mail accounts hosted remotely by Google. Use of Google's suite of services is a privilege. Accordingly, all users of Google Apps for Education at the University are responsible for the proper use and protection of data stored in the system. In addition to the above-stated Stony Brook University policies, use of the Google Apps services is also governed by the Google Apps Terms of Service. Anyone in the Stony Brook University community utilizing Google Apps for Education services must agree and adhere to the Google Terms of Service that will be presented for review the first time they attempt to log into their account.

Policy

• Anyone in the Stony Brook University community utilizing Google Apps for Education services must be aware that their data may be stored in data centers outside the borders of the United States.
• As stated in the Stony Brook University Appropriate Use of Information Technology (P109) policy, anyone in the Stony Brook community utilizing Google Apps for Education services acknowledges that Stony Brook has the ability to monitor, use, or disclose their data, and that Google provides Stony Brook the ability to do so for system management and security purposes.
• Anyone in the Stony Brook University community utilizing Google Apps for Education services must acknowledge that Google can terminate their account if they fail to abide by the Google Terms of Service.
• Anyone in the Stony Brook University community utilizing Google Apps for Education must agree that they will not use the services for gambling, pornography, or for running a business.
• Anyone in the Stony Brook University community utilizing Google Apps for Education services must acknowledge and abide by the Google Sites Program Policies
• Anyone in the Stony Brook University community utilizing Google Apps for Education services is made aware of the Google Acceptable Use Policy that states you agree not to use the Google services provided to you:
  • to generate or facilitate unsolicited bulk commercial email;
  • to violate, or encourage the violation of, the legal rights of others;
  • for any unlawful, invasive, infringing, defamatory, or fraudulent purpose;
  • to intentionally distribute viruses, worms, Trojan horses, corrupted files, hoaxes, or other items of a destructive or deceptive nature;
  • to interfere with the use of the Google Apps services, or the equipment used to provide the services, by customers, authorized resellers, or other authorized users;
  • to alter, disable, interfere with or circumvent any aspect of the services;
  • to test or reverse-engineer the services in order to find limitations, vulnerabilities or evade filtering capabilities;
  • to use the services, or a component of the services, in a manner not authorized by Google

Failure to comply may result in suspension or termination, or both, of the services.

A full copy of the Google Apps Acceptable Use Policy may be found at http://www.google.com/apps/intl/en/terms/use_policy.html

Appropriate Use of Private and Sensitive Data

Stony Brook University, SUNY, and Google have negotiated contractual terms and conditions that protect the privacy and confidentiality of University student, faculty, staff, alumni and retiree data in the Stony Brook Google Apps suite of services. As a result, the use of Google Apps at Stony Brook to conduct University activities may be subject to the following restrictions for certain types of data:

Family Educational Rights and Privacy Act (FERPA) Data

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Student data protected by FERPA is permitted in the Stony Brook Google Apps for Education suite of services, provided that the information is shared only between the student and those who have a legitimate education-related interest as defined by the University's Student Records policy. Student data should never be made publicly accessible.

Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI) Data

Email, by its nature, is not a secure medium for sharing sensitive information, and Google Apps for Education should not be used to store or transmit protected health information (PHI). Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws as well as New York State regulations.

Protected health information should remain in a record system designed to contain health information and should be de-identified (stripped of all 18 HIPAA identifiers) before being shared electronically. If de-identifying the information is not possible, appropriate methods for securely transmitting the information include:

• Use of an integrated messaging system associated with a legally certified electronic health record system. If you must transmit PHI by email, use the secure email service provided by Stony Brook Medicine.
• Directory file sharing within a professionally managed and supported networked environment such as the University's "Active Directory" service.
• Use of a "dropbox-like" technology such as the University's Microsoft SharePoint service.

Additional obligations to remember when sharing PHI:

• Limit the amount of information to the minimum necessary that is required
• Misdirected information or incidents involving the inappropriate use of protected health information must be reported immediately. Misdirected health information must be included in all accounting of disclosures.
• Ensure that the recipient of the information is legally authorized to receive the information.

All questions or concerns regarding HIPAA or protected health information should be directed to:

Stephanie Musso
HIPAA Privacy Officer
Stony Brook University Medicine
(631) 444-5796
stephanie.musso@stonybrook.edu

Export Controlled Information

Export controlled technical data or software is not permitted in Stony Brook University's Google Apps for Education suite of services.

It can be a federal crime to share export-controlled technical data or software with others who are (a) not United States citizens or permanent United States residents, whether abroad or in the United States or (b) on a denied parties list.

If you think you have export-controlled restrictions placed on the technical data or software that you are sharing and/or receiving, please see http://research.stonybrook.edu/osp/exportcontrols.shtml or contact the Office of Research Compliance at (631) 632-9036.

Please note that email, by its nature, is an insecure medium for sharing sensitive information. Just as you would not include your Social Security number or credit card number in an email message, you should not include export-controlled technical data or software in email. The export of controlled technical data, software, or items may result in fines and penalties to both the individual and the institution.

Social Security Numbers, Driver's License Numbers, Financial Account/Credit Card Numbers

Stony Brook Google Apps should not be used to store, maintain or transmit Social Security numbers, driver's license numbers, financial account or credit card numbers. Such data should be stored only on systems approved for such use.

Intellectual Property Rights and Participation of External Users in Google Docs/Drive

Google Apps for Education users can invite other Google Apps users, both within the University and outside the University, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure appropriate sharing controls are used in order to protect intellectual property placed in Google Apps for Stony Brook University, as well as to prevent accidental or undesirable file sharing. Authorized users are subject to the following additional requirements:

• Maintain the integrity of data files, including performing regular back-ups. Do not rely on Google or Stony Brook to back up data. Stony Brook is not responsible for lost data.
• Exercise caution in sharing documents with non-Stony Brook users. Under Stony Brook's Terms of Service, Google asserts no ownership or use rights. Non-Stony Brook users may be subject to different Terms of Service.
• Adhere to Stony Brook policies regarding retention of course-related materials, where appropriate.
• Remove content prior to leaving Stony Brook. User accounts will be purged, according to existing campus procedures. Once an account is purged, users will no longer have access to content.
• If you are employed by the University, any documents you save or publish in Stony Brook Google Docs/Drive may be subject to the New York State Freedom of Information Law (FOIL).
• Any document you save or publish in Stony Brook Google Docs/Drive may be subject to privacy laws, such as FERPA and HIPAA.

Enforcement

If the University receives a credible report that a violation has occurred, or if, in the course of managing the service, discovers evidence of a violation, then the matter will be referred for investigation, University disciplinary action, and/or criminal prosecution. Complaints that specific material violates the law or University policy should be reported to the Office of University Community Standards.

Changes to this Policy

Stony Brook reserves the right to change this policy at any time. Users should check this document periodically to ensure they remain in compliance. Stony Brook will post the most up-to-date version of the policy on the Stony Brook IT website (stonybrook.edu/it) and may, in its discretion, provide users with additional notice of significant changes. A user's continued use of the service after any changes are published binds the user to the revised policy.

Inquiries/Requests

Office of the Chief Information Officer
Room 231, Educational Communications Center
(631) 632-9085