Google Drive security question
119 views
Skip to first unread message
Jocelynn Buckentin
Apr 26, 2016, 11:53:41 AM4/26/16
to Key Instructional Contacts (KIC)
Greetings KIC,
I have a question. Do the rules of HIPPA, FERPA, COPPA, CJIS and PCI prevent district business offices from storing documents that contain sensitive data in Google Drive? We are using Virtru and Gmail for secure mail, but as of right now our business office only stores documents of this nature on our server with restricted access. I know they could do this similarly in Google Drive, however I was told today that these types of documents could not be stored in the cloud. Does anyone have more information about this? Thanks,
Jocelynn Buckentin
Technology Innovation Specialist
Hutchinson Public Schools
Joel VerDuin
Apr 26, 2016, 12:11:28 PM4/26/16
to Jocelynn Buckentin, Key Instructional Contacts (KIC)
Hello Jocelynn...
Shortest answer possible... Cloud storage can be acceptable for sensitive information...My much longer answer is that every organization needs a process and identified person who will determine what it takes to trust a cloud provider and subsequently how that message will be communicated to everyone in the organization that vendor x, y, or z is on the trusted list.
By not doing this, the people in the organization are left with a very confusing message. (Trust me, I know)
For a good example of what this looks like in the last stage (communicating) see he UofM's statements:
(ignore the HIPAA statement in this first one - since they are saying do not use Gmail for HIPAA information
So... somehow a University, with a ton of legal counsel arrived at the position that THE most private information they have could be used with Google Apps - seems like they might be on to something.
Joel A. VerDuin, Ed.D.
Chief Technology and Information Officer
Anoka-Hennepin School District
--
To post: send email to
Key_Instructi...@googlegroups.com
To unsubscribe: send email to
Key_Instructional_C...@googlegroups.com
For more options, visit this group at:
http://groups.google.com/group/Key_Instructional_Contacts?hl=en
---
You received this message because you are subscribed to the Google Groups "Key Instructional Contacts (KIC)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to key_instructional_c...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Curtis Griesel
Apr 26, 2016, 12:15:00 PM4/26/16
to Jocelynn Buckentin, Key Instructional Contacts (KIC)
There is no clear-cut answer to this question. There are no such thing as "HIPPA" certified services that you can rely on. It is a matter for your legal department and your IT department to hash out, to decide if the lawyers are comfortable with the IT department's ability to fulfill the requirements of HIPPA, FERPA and so on. There are certainly ways to implement compliance with these mandates in the cloud, but the easiest path for many organizations is simply to say no protected documents allowed outside of our secured network, and leave it at that. You are pretty much at the mercy of whatever your legal and IT departments come up with.
On Tue, Apr 26, 2016 at 10:53 AM, Jocelynn Buckentin <jocelynn....@isd423.org> wrote:
--
Doug Johnson, TechDir
Apr 26, 2016, 2:26:39 PM4/26/16
to Curtis Griesel, Jocelynn Buckentin, Key Instructional Contacts (KIC)
I would add to Curtis's comments that you better damn well show due diligence and have a heck of a lot of in-house expertise if you came your local network is "secure." Personally, I think the liability is greater if the district claims to have a "secure" network than saying it is using a cloud-based service with policies in place and a good track record. IMHO.
And I would add to Joel's recommendation that encoded/secured data transfer protocols are recommended as well, with https at minimum be required.
Is secured storage a service TIES can/should be offering its member districts for those who feel reluctant to use GoogleDrive?
Doug
Doug Johnson
Director of Technology
Tel. 952.707.2065
Web www.isd191.org
100 River Ridge Court
Burnsville, MN 55337
Bruce DeWitt
Apr 26, 2016, 3:16:04 PM4/26/16
to Jocelynn Buckentin, Key Instructional Contacts (KIC)
Jocelyn,
I would add that in the EULA agreement google agrees to be FERPA compliant:
7.4 FERPA. The parties acknowledge that (a) Customer Data may
include personally identifiable information from education records that are subject
to FERPA ("FERPA Records"); and (b) to the extent that Customer Data includes FERPA
Records, Google will be considered a "School Official" (as that term is used in FERPA
and its implementing regulations) and will comply with FERPA.
HIPPA's application to schools is limited as health records are generally treated as school records falling under FERPA
For COPPA we are talking about parental notification of the collection of personal student data over confidentiality/security of student data and google maintains it's our responsibility as districts to notify parents RE internet usage:
2.5 Parental Consent. Under section 10.1 below, Customer is
responsible for compliance with the Children's Online Privacy Protection Act of 1998,
including obtaining parental consent for collection of personal information in the
Services or Non-Google Apps Products Customer allows End Users to access. Customer
will also obtain parental consent before allowing any End Users under the age of 18
to use Non-Google Apps Products.
Finally, as Doug said, you might ask if your data center maintains this level of security for student data housed inside your network with all files stored with random file names not stored in clear text?
Bruce DeWitt
Technology Facilitator
Anoka-Hennepin Schools
On Tue, Apr 26, 2016 at 10:53 AM, Jocelynn Buckentin <jocelynn....@isd423.org> wrote:
--
To post: send email to
Key_Instructi...@googlegroups.com
To unsubscribe: send email to
Key_Instructional_C...@googlegroups.com
For more options, visit this group at:
http://groups.google.com/group/Key_Instructional_Contacts?hl=en
---
You received this message because you are subscribed to the Google Groups "Key Instructional Contacts (KIC)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to key_instructional_c...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Bruce DeWitt
Curtis Griesel
Apr 26, 2016, 4:06:01 PM4/26/16
to Bruce DeWitt, Jocelynn Buckentin, Key Instructional Contacts (KIC)
In my opinion the main sticking point is that most privacy regulations require the user device to automatically log out after a certain idle period. A Windows local network can be configured to log out any connected computer after a specified idle time. If your data is on the cloud you need to make sure than any device that connects to it on the cloud has this automatic logout setting set, which is not set by default on most devices.
The cloud itself is secure, but once information is on the cloud, how to you guarantee that every device used to access the information is secure?
Jocelynn Buckentin
Apr 28, 2016, 10:35:30 AM4/28/16
to Key Instructional Contacts (KIC)
Thank you everyone. This information was incredibly helpful. It is spawning a greater conversation in my district about data and security, which is wonderful. Does anyone use Backupify?
Thanks!
Jocelynn Buckentin
Apr 28, 2016, 1:37:12 PM4/28/16
to Key Instructional Contacts (KIC)
I'm not sure how I deleted the last two responses, so forgive me, but for the sake of keeping this conversation as a wonderful reference, I'm reposting what I deleted:
| 10:05 AM (2 hours ago) | | ||
Jacob Quade
Apr 28, 2016, 2:01:45 PM4/28/16
to Jocelynn Buckentin, Key Instructional Contacts (KIC)
Mankato uses Backupify.
--
To post: send email to
Key_Instructi...@googlegroups.com
To unsubscribe: send email to
Key_Instructional_C...@googlegroups.com
For more options, visit this group at:
http://groups.google.com/group/Key_Instructional_Contacts?hl=en
---
You received this message because you are subscribed to the Google Groups "Key Instructional Contacts (KIC)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to key_instructional_c...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jacob Quade
Network/Information Technology Manager
Mankato Area Public Schools
West Annex Room 1204
Network/Information Technology Manager
Mankato Area Public Schools
West Annex Room 1204
E-mail jqu...@isd77.org
"Assuring learning excellence and readiness for a changing world."
CONFIDENTIALITY NOTICE: The information contained in this electronic mail
transmission may contain privileged communications and/or confidential
information intended only for the use of the named recipient(s). If the
reader of this information is not the named recipient(s), or the employee or
agent of the named recipient(s), you are hereby notified that any
dissemination, distribution, copying or use of this information is strictly
prohibited. If you received this transmission in error, please: (1)
immediately notify us by return electronic transmission at
jqu...@isd77.org; and (2) permanently delete this message from your
computer and all servers and other storage devices.
Lindley, Nathaniel
Apr 28, 2016, 3:33:19 PM4/28/16
to Jacob Quade, Jocelynn Buckentin, Key Instructional Contacts (KIC)
Edina used Backupify, currently using SysCloud. May go back to Backupify.
Nathaniel Lindley
Supervisor of Technology Services
Edina Public Schools, MN
O: 952-848-4965
M: 612-208-7802
Reply all
Reply to author
Forward
0 new messages