You are here


Google Apps: Acceptable Use and Data Security

In October 2009, the Office of Information Technology (OIT) began to offer Google accounts to University of Minnesota students, faculty, and staff. The information provided below explains the appropriate use of private and sensitive data as it relates to your role at the University.

Appropriate Use of Private and Sensitive Data

The University of Minnesota and Google have negotiated contractual terms and conditions that protect the privacy and confidentiality of University student, faculty, staff, and alumni data in the U of M Google Apps suite of services. As a result, you may use Google Apps for the University of Minnesota to conduct University activities that are aligned with your role at the University, provided that you do so according to the University’s Acceptable Use Policy, found at and according to the restrictions that are outlined in this document for certain types of data.

Family Educational Rights and Privacy Act (FERPA) Data

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Student data protected by FERPA is permitted in the U of M Google Apps services, provided that the information is shared only between the student and those who have a legitimate education-related interest as defined by University’s Managing Student Records policy. Student data should never be made publicly accessible.

Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI) Data

Email, by its nature, is not a secure medium for sharing sensitive information, and Google Apps should not be used to store or transmit protected health information (PHI). Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws as well as by Minnesota State regulations.

Protected health information should remain in a record system designed to contain health information and should be de-identified (stripped of all 18 HIPAA identifiers) before being shared electronically. See the

Additional obligations to remember when sharing PHI:

  • Limit the amount of information to the minimum necessary that is required.

  • Misdirected information or incidents involving the inappropriate use of protected health information must be reported immediately. Misdirected health information must be included in all accounting of disclosures.

  • Ensure that the recipient of the information is legally authorized to receive the information.

All questions or concerns regarding HIPAA or protected health information should be directed to:

Privacy and Security Office

University of Minnesota

(612) 624-7447

Export Controlled Information

Export controlled information is not permitted in U of M Google Apps. It can be a federal crime to share export-controlled information with collaborators who are not United States citizens or permanent United States residents. Because the requirements for Export Controlled data are contrary to the University’s Openness in Research Policy, found at, the University of Minnesota takes every reasonable step to avoid receiving or maintaining Export Controlled information.

If you think that you have export controlled restrictions placed on your data, see

Please note that email, by its nature, is an unsecure medium for sharing sensitive information. Just as you wouldn’t include your Social Security number or credit card number in an email message, you should not include export controlled data in email. If this is simply not practical, then you need to de-identify the data to assure its privacy.

Export controlled data are legally protected and of high consequence.

Intellectual Property Rights and Participation of External Users

Google Apps users can invite other Google Apps users, both within the University and outside the University, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure appropriate sharing controls are used in order to protect intellectual property placed in Google Apps for the University of Minnesota, as well as to prevent accidental or undesirable file sharing.

Your Data Is Private with Google Apps for Education

  • Google does not own your data.
  • Google does not share your data.
  • Google keeps the data as long as you want them to.
  • Google deletes the data when you ask them to.

For a clearly-worded explanation of Google's privacy and security policies, see Google Security and Privacy for Schools, as well as their general Security and Privacy page.

Additional Information

It's important to remember that there is a difference between University of Minnesota Google Apps accounts and personal Google/ accounts. They are totally separate from each other, and fall under separate and different contractual agreements, as well as different terms of service. Institutions that use Google Apps for their email, calendar and the other core applications, have individual contracts with Google that define how data is handled and stored.

The University of Minnesota has a separate contract with Google, and Google remains in compliance with the confidentiality and security obligations provided to our domains under this contract. The privacy policy does not change this contractual agreement between Google and the University, and the University's core suite of applications, including Gmail (email), Google Docs (word processing, spreadsheets, and presentations), Google Calendar, Google Talk (instant messaging), and Google Sites, are not affected by the policy.



ServiceNow Article ID