Student Data Privacy in Google Apps

Over the past few years, LPS employees have begun to explore the powerful tools within the LPS Google Apps suite. Teachers and Administrators have observed many new opportunities to more efficiently collect, reference and analyze information in this suite, more so than in any tool previously available to all staff. With that in mind many have considered, or have even begun putting together Google forms, collaborative spreadsheets, Google Classrooms and other documents that are used in formative assessment or to aggregate and put form to many anecdotal records that have always existed. PLC work has also begun to adopt these ideas and many teams are collecting data that is explicitly tied to individual students, but analyzed in aggregate.

As Educators we all recognize the importance of protecting the students and families we serve by maintaining data security at every possible juncture. Realizing the “cloud” based nature of the LPS Google Docs is a point of concern for everyone. Since there is no local copy of these files on our computers, where does the data ultimately exist – and who has access to it? These questions have given us a justified pause.

The tools that we refer to generically as “Google Docs” exist in an environment that Google refers to as its “Google Apps for Education.” These tools are held separate from the tool set available to businesses or the general public. Only verified educational institutions can participate in the “Apps for Education” program. In LPS this is our CLASS.LPS.ORG environment.

Keeping the Education version of these apps separate from the publicly available versions allows Google to maintain different licensing, terms of service, and privacy standards than apply to the business or general public’s tools. To that end, Google provides some guidance and clarification on these topics.

Google works to be as transparent about security issues as possible. Some common questions and concerns are specifically addressed below, but the following resources will allow you to look deeper into these issues on your own if you are so inclined.

 

CAUTION: Be aware of your audience when sharing

The weakest part of any secure digital environment is the human beings using it. By default every Google Doc is private to the creator. LPS staff members can choose to share documents with other staff members, students, or with the public (outside of class.lps.org.) Teachers should be vigilant about NOT sharing any sensitive student information with students or the public.

 

Important Questions to Consider

Which Google Products does this apply to?

According to the Terms of Service, this applies to Google Apps for Education Core Services (Mail, Calendar, Talk/Hangouts, Drive, Sites, and Contacts), and Google Classroom.

Who owns the content produced in Google Apps for Education?

The Google Apps Terms of Service contractually ensures that your institution (students, faculty, and staff) are the sole owners of their data. Your Apps content belongs to your school, or individual users at your school. Not Google.

Who can see our content?

Google does not look at your content. Google employees will only access content that you store on Apps when an administrator from LPS grants Google employees explicit permission to do so for troubleshooting.

Who is our content shared with?

Google does not share your content. Google does not share personal information with advertisers or other 3rd parties without your consent.

Google complies with applicable US privacy law, and the Google Apps Terms of Service specifically details obligations and compliance with FERPA (Family Educational Rights and Privacy Act) regulations.

Are Google Apps for Education FERPA compliant?

The Terms of Service for Google Apps for Education specifically address this question as follows:

5.4 FERPA
The parties acknowledge that (a) Customer Data may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”); and (b) to the extent that Customer Data includes FERPA Records, Google will be considered a “School Official” (as that term is used in FERPA and its implementing regulations) and will comply with FERPA.
Where is content stored?

Your data is stored in Google’s network of data centers. Google maintains a number of geographically distributed data centers, the locations of which are kept discreet for security purposes. Access to data centers is very limited to only authorized select Google employees personnel.

Is content safe from others when it is running on the same servers?

Yes. All user accounts are protected via virtual lock and key that ensures that one user cannot see another user’s data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.

Google Apps has received a satisfactory SSAE 16 Type II audit. This means that an independent auditor has examined the controls protecting the data in Google Apps (including logical security, privacy, Data Center security, etc) and provided reasonable assurance that these controls are in place and operating effectively.