Yes, IT Services passes to Google the personal data required to enable them to provide you with the Google Apps service. Your personal data is passed to Google only once you have accepted the terms and conditions of the service.
No other personal data is passed to Google.
Any information you save in Google Apps is stored by Google on Google's servers. It is not stored on any systems operated by IT Services.
When the University signed the contract with Google, we confirmed with the Information Commissioner that such data transfers between countries are acceptable within the terms of the Data Protection Act (1998) whilst the Safe Harbor framework principles are met. However, a subsequent judgement of the Court of Justice of the European Union means that this agreement is no longer valid.
The alternative to Safe Harbor is to incorporate EU Model Clauses - these are also included within our contract with Google.
The University and Google have a contract that defines what Google may do with any data you store within the Google Apps service.
Intellectual Property: You retain all rights over any intellectual property you store in Google Apps. Equally, Google retains all intellectual property rights it holds in its provision and delivery of the service.
Personal Data: Google may scan and index data you store in Google Apps for limited purposes in relation to providing you with this service. This may include personal data. The limited purposes set out in the contract are:
Google's scanning and indexing is an automated process. Google has given an undertaking that no person will inspect information you have stored on Google's servers unless such inspection is necessary to resolve a request for assistance or to fulfil a legal obligation.
The University has a contract with Google which includes assurances around data protection - this contract was reviewed by the University's solicitors, and was signed by the University's Registrar and Secretary, Dr David Duncan. Please contact us if you wish to see a copy of the University's contract with Google, by emailing:
The contract says: "Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other's content or any of the other's intellectual property. As between the parties, Customer owns all Intellectual Property Rights in Customer Data, and Google owns all Intellectual Property Rights in the Services."
Our interpretation of this is that the person who puts data into Google Apps own the intellectual property rights in it.
The contract says:"Other provisions of this Agreement notwithstanding, Google may scan or index Customer Data for the following purposes only: … to allow Google to meet its legal obligations; …
Personal data can be disclosed when required by law, for example in relation to national security considerations. An analogous situation occurs in England and Wales with similar requests from UK law enforcement agencies which can be answered within the terms of the DPA.
In all cases you should satisfy yourself that Google Apps is an appropriate place to store any form of data.
The contract which the University has signed states that the University is, under the terms of the Data Protection Act, the Data Controller whilst Google is the Data Processor. In addition, the contract states that all intellectual property in University of York data belongs to the University.
The University has access to the data. Google, as system operator, also has access to the data. Google's use of the data is restricted by contract - for example, no adverts are served to staff or students.
The contract states that Google will keep all University information confidential, except as required by due process of law.
The contract contains standard clauses around change of ownership or control to ensure the service continues as agreed. In the event of Google going bankrupt, the service would no longer be provided. This risk has been assessed as extremely low by the University's Finance Department.