Lehigh G Suite: Best practices for data security

Lehigh and Google have negotiated contractual terms and conditions that protect the privacy and confidentiality of university student, faculty, and staff data in the Lehigh Google Suite of services. The contract ensures that we continue to own our data; that Google will not share this data; and that Google will not data mine for commercial purposes. Google will keep our data in perpetuity, delete it when requested, and will not display advertisements within the suite of Core Apps. For an explanation of Google’s privacy and security policies, see:

• G Suite for Education: Security and Privacy
• Google Privacy Center: Transparency and Choice

Under these terms, you can use G Suite to conduct university activities that are aligned with your role at the university.

Sensitive Data at Lehigh

Lehigh classifies sensitive data into types and provides guidelines for safe handling of this data. The sections below discuss sensitive data and G Suite. If you have questions, contact Lehigh Information Security specialists at security@lehigh.edu.

Read these relevant policies:

• University Cloud Policy
• Lehigh University Services Guide for Data Storage, Processing, and Transmission
• Privacy policy
• Copyright Compliance
• Classification of Data policy and Services Guide for Data Storage, Processing, and Transmission
• Use of computer systems and facilities

Email is not secure

Email is an unsecured medium for sharing sensitive information. Lehigh has enabled and enforced data encryption in transit for all email going to or being read via the Lehigh gmail service either by the Web browser (HTTPS) or via IMAP clients (SSL). Although most email services now use encryption in transit, it is not guaranteed that a remote system is using encryption. Think of email as communicating via postcard -- it offers little in the way of security or privacy.

G Suite and sensitive data

The following paragraphs provide information about some common types, or classifications, of Lehigh data, and storage on G Suite (e.g., Drive). Briefly though, these types of data should never be stored in Lehigh G Suite or stored or transmitted via email. To view detailed policies on handling of sensitive data, view the Classification of Data Tables.:

• Family Educational Rights and Privacy Act (FERPA) Data. The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Per Lehigh’s data classification policy, FERPA-protected records (and other confidential information “stored in an encrypted form within the personal network (LAN) file space of the individual and must not be backed up to a cloud storage service.”
• Personally-identifiable Information (PII). Personal identifiers, including Social Security, tax identification, driver’s license, and bank account numbers, listed in the Breach of Personal Information Notification Act, as well as other legally confidential data, are protected information.
• Financial Information (payment/credit card information). Pursuant to federal laws, Lehigh has a duty to safeguard every type of nonpublic, personally identifiable financial information. In addition, Lehigh must protect payment/credit card data and related account information. Examples include information provided on an application for a credit card, payment history, and account balance information.
• Health Insurance Portability Accountability Act (HIPAA) and Protected Health Information (PHI). Individually-identifiable health information is legally protected by Federal HIPAA Privacy and Security laws as well as Pennsylvania laws related to medical record confidentiality.
• Export-controlled and other sensitive information. The United States’ export control laws forbid the unlicensed transmission of controlled items, software, and information to certain countries. These export control laws apply to controlled items even when transmitted primarily for storage or for further transmission purposes. It can be a federal crime to share export-controlled information with collaborators who are not United States citizens or permanent United States residents.
• Human subjects data. Human subjects data is classified as Class II restricted information at Lehigh.
• Intellectual property. Lehigh G Suite users can invite other G Suite users (and non-users), both within the university and outside the university, to view data, co-edit documents, and use other collaboration tools. It is the responsibility of each user to ensure that appropriate sharing controls are used in order to protect Lehigh’s intellectual property or third party confidential proprietary information provided to the university under contractual terms requiring non-disclosure.

Accidental loss of data

LTS will make every effort to recover lost data, but recovery should not be assumed.

Continuity of departmental data

When selecting a data storage method, consider continuity of important data during staffing transitions, such as terminations, retirements, promotions, or transfers. Files that are important to the department should be stored on departmental accounts or on drives that are backed up and that can be transferred and maintained as individuals leave the university or leave positions in your department. When an individual leaves Lehigh, his/her computing account and the G Suite account is locked and eventually deleted, including files stored on Google Drive, Sites, Calendar information, etc. Plan for transferring ownership of files in the event that a staff member leaves.