The University of Maryland initially began offering Google Apps accounts to UMD students under the name "Terpmail". The Smith School of Business under the umbrella of the contract UMD negotiated with Google implemented it's own instance of Google Apps under the name of "Smoogle" in 2012 and migrated faculty, staff and students to the new platform. The information below explains the appropriate use of private and sensitive data utilizing the Google Apps Education Edition as it relates to your role at the Smith School.
The University of Maryland has negotiated a contract with Google with terms and conditions that protect the privacy and confidentiality of our students, faculty, staff and alumni data stored in the Google Apps suite of services (a.k.a. Smoogle). You can therefore use Smoogle to perform the functions of your role to conduct School activities in accordance with the following:
As Google clearly outlines in it's own documentation and the contract:
You can read an unambiguous clearly-worded explanation of Google's privacy and security policies here:
By it's nature, email is an unsecured medium for sharing sensitive information. Encryption has been enabled for all data in transit to and from Smoogle service either by your webbrowser (HTTPS) or via IMAP/POP clients (SSL), once the email leaves the Gmail service you cannot guarantee that the recipient is receiving or reading the email via a secure channel.
You should never include Social Security or credit card numbers or other sensitive information in an unencrypted email message.
At a minimum, if a document contains sensitive data and is to be attached to an email message, then that document should be encrypted before being attached. The latest versions of Microsoft Word and Excel can easily encrypt documents using a password and new versions of Adobe Acrobat can securely PDF files. Do not send the password in the same email as the document!
A better alternative for sharing sensitive information is to provide a link to a document on a secure file server (files.rhsmith.umd.edu for facutly and staff, otherwise known as the "O: drive" or "departmental drive") that only authorized users have access to.
Google Docs services are secure if used properly and can be used as an alternative to sending attachments, however as noted below there are some types of information that should never be transferred or stored via Smoogle.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Student data protected by FERPA is permitted in Smoogle services. It is subject to access by school officials who have a legitimate educational interest as well as by other identified officials, as defined and identified by the university’s FERPA privacy regulation.
To the extent that Google has access to student educational records as a contractor for the university, it is deemed a “school official,” as defined by FERPA, under the University of Maryland Agreement and will comply with its obligations under FERPA. Personally identifiable student data should never be made publicly accessible without the student’s signed, written consent.
Personal identifiers, including Social Security, tax identification, drivers license, and bank account numbers, as well as other legally confidential data, are protected information. Users should not share or transmit any of this information utilizing Smoogle.
For further information on the University's policies see:
Pursuant to Federal laws, the University of Maryland has a duty to safeguard every type of nonpublic, personally identifiable financial information. In addition, UMD must protect payment/credit card data and related account information. Examples include information provided on an application for a credit card, payment history, and account balance information. In order to continue to safeguard and protect Users’ financial information, Users should not utilize Smoogle to share or transmit any form of financial account or credit card information.
Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws. Email, by its nature, is not a secure medium for sharing sensitive information, and Smoogle should not be used to store or transmit protected health information (PHI) except as indicated below.
PHI should remain in a record system designed to contain health information and should be de-identified (stripped of all 18 HIPAA identifiers) before being shared electronically. If de-identifying the information is not possible, appropriate methods for securely transmitting the information include:
Additional obligations to remember when sharing PHI:
See here for the UMD policy and procedures document on compliance with HIPAA.
The United States’ export control laws forbid the unlicensed transmission of controlled items, software, and information to certain countries. These export control laws apply to controlled items even when transmitted primarily for storage or for further transmission purposes.
Email is not a good primary data transmission method for faculty and staff engaged in sensitive or highly-regulated subject matter. In particular, users of Smoogle must be aware that their data may be stored in data centers outside the United States. For these reasons, researchers working with controlled material should use another, secure means of data transmission. Export-controlled information is not permitted in Smoogle, including transmission via the Gmail service.
While it may be appropriate to communicate via the campus Gmail service with fellow university researchers generally about the projects that involve controlled material, you should not include export-controlled data in email. If this is simply not practical, then one alternative for sharing sensitive data is to encrypt it and share it via the files.rhsmith.umd.edu server or the University provided Box service.
Export-controlled data are legally protected and of high consequence. If you are uncertain whether your data are subject to export control laws, and/or whether you can send this data via email, please contact University of Maryland Export Compliance Office at 301 405 4212. See their website for more information.
Smoogle users can invite other Google Apps users, both within the university and outside the university, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure that appropriate sharing controls are used in order to protect the University of Maryland's intellectual property or third party confidential proprietary information provided to the university under contractual terms requiring non-disclosure.
All users of Smoogle are expected to read and know the following:
Our since thanks to NC State for providing the source material that this document was based upon.