Lehigh and Google have negotiated contractual terms and conditions that protect the privacy and confidentiality of university student, faculty, and staff data in the Lehigh Google Suite of services. The contract ensures that we continue to own our data; that Google will not share this data; and that Google will not data mine for commercial purposes. Google will keep our data in perpetuity, delete it when requested, and will not display advertisements within the suite of Core Apps. For an explanation of Google’s privacy and security policies, see:
...
- University Cloud Policy
- Lehigh University Services Guide for Data Storage, Processing, and Transmission
- Privacy policy
- Copyright Compliance
- Classification of Data policy and Services Guide for Data Storage, Processing, and Transmission
- Use of computer systems and facilities
Email is not secure
Email is an unsecured medium for sharing sensitive information. Lehigh has enabled and enforced data encryption in transit for all email going to or being read via the Lehigh gmail service either by the Web browser (HTTPS) or via IMAP clients (SSL). Although most email services now use encryption in transit, it is not guaranteed that a remote system is using encryption. Think of email as communicating via postcard -- it offers little in the way of security or privacy.
...
- Family Educational Rights and Privacy Act (FERPA) Data. The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Per Lehigh’s data classification policy, FERPA-protected records (and other confidential information “stored in an encrypted form within the personal network (LAN) file space of the individual and must not be backed up to a cloud storage service.”
- Personally-identifiable Information (PII). Personal identifiers, including Social Security, tax identification, driver’s license, and bank account numbers, listed in the Breach of Personal Information Notification Act, as well as other legally confidential data, are protected information.
- Financial Information (payment/credit card information). Pursuant to federal laws, Lehigh has a duty to safeguard every type of nonpublic, personally identifiable financial information. In addition, Lehigh must protect payment/credit card data and related account information. Examples include information provided on an application for a credit card, payment history, and account balance information.
- Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI). Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws as well as Pennsylvania laws related to medical record confidentiality.
- Export-controlled and other sensitive information. The United States’ export control laws forbid the unlicensed transmission of controlled items, software, and information to certain countries. These export control laws apply to controlled items even when transmitted primarily for storage or for further transmission purposes. It can be a federal crime to share export-controlled information with collaborators who are not United States citizens or permanent United States residents.
- Human subjects data. Human subjects data is classified as Class II restricted information at Lehigh.
- Intellectual property. Lehigh G Suite users can invite other G Suite users (and non-users), both within the university and outside the university, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure that appropriate sharing controls are used in order to protect Lehigh’s intellectual property or third party confidential proprietary information provided to the university under contractual terms requiring non-disclosure.
Accidental loss of data
LTS will make every effort to recover lost data, but recovery should not be assumed.
...