Google Apps legal information

Personal Data

Does the University pass personal data to Google? If so, what?

Yes, IT Services passes to Google the personal data required to enable them to provide you with the Google Apps service. Your personal data is passed to Google only once you have accepted the terms and conditions of the service. 

The actual data we pass to Google is your name (as it appears in the user administration database) and your IT Services username. The privacy policy for Google Apps provides further details about what personal information may be recorded and how it is used.

No other personal data is passed to Google.

Where is information I save in Google Apps stored?

Any information you save in Google Apps is stored by Google on Google's servers. It is not stored on any systems operated by IT Services.

When the University signed the contract with Google, we confirmed with the Information Commissioner that such data transfers between countries are acceptable within the terms of the Data Protection Act (1998) whilst the Safe Harbor framework principles are met. However, a subsequent judgement of the Court of Justice of the European Union means that this agreement is no longer valid.

The alternative to Safe Harbor is to incorporate EU Model Clauses - these are also included within our contract with Google.

What can Google do with the data I store in the Google Apps service?

The University and Google have a contract that defines what Google may do with any data you store within the Google Apps service.

Intellecual Property: Your retain all rights over any intellectual property you store in Google Apps. Equally, Google retains all intellectual property rights it holds in its provision and delivery of the service.

Personal Data: Google may scan and index data you store in Google Apps for limited purposes in relation to providing you with this service. This may include personal data. The limited purposes set out in the contract are:

  • To enable you to search for information in stored in your account.
  • To enable Google to perform spam filtering, virus protection and similar security tasks.
  • To allow Google to respond to requests for assistance by yourself or IT Services in relation to the provision of this service.
  • To allow Google to meet its legal obligations (but not including any contractual agreements with third parties).
  • To otherwise enable Google to provide you with the Google Apps service.

Google's scanning and indexing is an automated process. Google has given an undertaking that no person will inspect information you have stored on Google's servers unless such inspection is necessary to resolve a request for assistance or to fulfil a legal obligation.

The University signed a contract with Google - can I see this?

The University has a contract with Google which includes assurances around data protection - this contract was reviewed by the University's solicitors, and was signed by the University's Registrar and Secretary, Dr David Duncan. Please contact us if you wish to see a copy of the University's contract with Google, by emailing:

Who owns data sent to Google Apps?

The contract says: "Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other's content or any of the other's intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data, and Google owns all Intellectual Property Rights in the Services."

Our interpretation of this is that the person who puts data into Google Apps own the intellectual property rights in it.

Will data stored on Google's servers be shared with the U.S. Government?

The contract says:"Other provisions of this Agreement notwithstanding, Google may scan or index Customer Data for the following purposes only: …  to allow Google to meet its legal obligations; …

Personal data can be disclosed when required by law, for example in relation to national security considerations. An analagous situation occurs in England and Wales with similar requests from UK law enforcement agencies which can be answered within the terms of the DPA.

In all cases you should satisfy yourself that Google Apps is an appropriate place to store any form of data.

General information

Who is legally responsible for the content of  the data placed in the cloud? 

The contract which the University has signed states that the University is, under the terms of the Data Protection Act, the Data Controller whilst Google is the Data Processor. In addition, the contract states that all intellectual property in University of York data belongs to the University.

Who has access to such data?

The University has access to the data. Google, as system operator, also has access to the data. Google's use of the data is restricted by contract - for example, no adverts are served to staff or students.

Will University information remain confidential?

The contract states that Google will keep all University information confidential, except as required by due process of law.

If Google's ownership/structure changes, will the contract be honoured? 

The contract contains standard clauses around change of ownership or control to ensure the service continues as agreed. In the event of Google going bankrupt, the service would no longer be provided. This risk has been assessed as extremely low by the University's Finance Department.