Data Stewards Approve Google Apps for Education for Restricted Institutional Data

• Anonymous file sharing capability is removed before implementation.
• Appropriate Data Loss Prevention (DLP) controls will be implemented as soon as they are made available by the vendor.
• Appropriate group/department level account structure will be implemented to accommodate concerns about orphaned or lost documents as soon as available.
• A warning message will be presented when users navigate away from IU and into the GAFE environment to inform users they are going outside an IU environment.  (This should be in conjunction with an appropriate privacy notice as well.)
• Representatives from the CDS will be added to the membership of the GAFE coordination group.
• Appropriate training (including administration and FERPA training) is given to all employees sharing student data in this environment to help mitigate risks.
• A request form is developed prior to implementation and will require the following information:
  • A description of the purpose for the project site  (This is for documentation purposes only.  No one will be reviewing and approving.)
  • A question asking if the requestor already has a Google account assigned to their IU email address:
    • instructions for migrating IU documents/files to the IU GAFE account.
  • Language that informs users that GAFE is not recommended for sharing large student data sets or housing personally identifiable student research information as there are more appropriate platforms for this type of usage. 
  • a statement that highlights the administrative risks to the unit given the breach responsibility as outlined in ISPP-26  http://policies.iu.edu/policies/categories/information-it/ispp/ISPP-26.shtml still lies with the department if inappropriate access is given to restricted student data. 

If the above can be accommodated, the Committee of Data Stewards approve the use of Restricted data in the GAFE environment.