Acceptable Use and Data Security
In October 2009, the Office of Information Technology (OIT) began to offer Google accounts to University of Minnesota students, faculty, and staff. The information provided below explains the appropriate use of private and sensitive data as it relates to your role at the University.
Appropriate Use of Private and Sensitive Data
The University of Minnesota and Google have negotiated contractual terms and conditions that protect the privacy and confidentiality of University student, faculty, staff, and alumni data in the U of M Google Apps suite of services. As a result, you may use Google Apps for the University of Minnesota to conduct University activities that are aligned with your role at the University, provided that you do so according to the University’s Acceptable Use Policy, found at www.policy.umn.edu/Policies/it/Use/ITRESOURCES.html and according to the restrictions that are outlined in this document for certain types of data.
Family Educational Rights and Privacy Act (FERPA) Data
Data protected by the Family Educational Rights and Privacy Act (FERPA) is permitted in Google Apps for the University of Minnesota, provided information is shared only between the student and those who have a legitimate education-related interest as defined by the University's Managing Student Records policy. www.policy.umn.edu/Policies/Education/Student/STUDENTRECORDS.html.
Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI) Data
Data protected by the federal Health Insurance Portability and Accountability Act (HIPAA), and Protected Health Information (PHI) are not permitted in Google Apps for the University of Minnesota, with the exception of uses covered by the Business Associates Agreement (BAA) between the University and Google. The only Apps that are covered by the BAA are GMail, Calendar, and Drive/Docs for the University of Minnesota and only units restricted to a separate organizational unit can use these Apps with PHI. Please see the Guidelines for Email and Protected Health Information http://z.umn.edu/phipolicy for additional information on using email and PHI.
Protected health information should remain in a record system designed to contain health information and should be de-identified (stripped of all 18 HIPAA identifiers) before being shared electronically. See the University’s ‘De-Indentifying Data’ procedures. If de-identifying the information is not possible, appropriate methods for securely transmitting the information include:
- Use of integrated messaging system associated with a legally certified electronic health record system.
- Directory file sharing within a professionally managed and supported networked environment such as the University’s “Active Directory” service.
- Use of a “dropbox-like” technology such as the University’s NetFiles service.
Additional obligations to remember when sharing PHI:
- Limit the amount of information to the minimum necessary that is required
- Misdirected information or incidents involving the inappropriate use of protected health information must be reported immediately. Misdirected health information must be included in all accounting of disclosures.
- Ensure that the recipient of the information is legally authorized to receive the information.
All questions or concerns regarding HIPAA or protected health information should be directed to:
Privacy and Security Office
University of Minnesota
Export Controlled Information
Export controlled information is not permitted in U of M Google Apps. It can be a federal crime to share export-controlled information with collaborators who are not United States citizens or permanent United States residents. Because the requirements for Export Controlled data are contrary to the University’s Openness in Research Policy, found at www.umn.edu/regents/policies/academic/Openness_in_Research.html, the University of Minnesota takes every reasonable step to avoid receiving or maintaining Export Controlled information.
If you think that you have export controlled restrictions placed on your data, see www.research.umn.edu/regulations/export_controls.html.
Please note that email, by its nature, is an unsecure medium for sharing sensitive information. Just as you wouldn’t include your Social Security number or credit card number in an email message, you should not include export controlled data in email. If this is simply not practical, then you need to de-identify the data to assure its privacy.
Export controlled data are legally protected and of high consequence.
Intellectual Property Rights and Participation
of External Users
Google Apps users can invite other Google Apps users, both within the University and outside the University, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure appropriate sharing controls are used in order to protect intellectual property placed in Google Apps for the University of Minnesota, as well as to prevent accidental or undesirable file sharing.