G Suite Privacy and Security
How can Cornell safeguard privacy for services provided by Google?
Cornell's commitment to privacy has not changed as a consequence of offering G Suite.
As with all decisions that Cornell makes regarding information technologies, privacy and security are key elements. In addition, Cornell remains committed to freedom of expression. The Office of University Counsel managed the contract negotiations with Google to ensure that Google meets the university's expectations for freedom of speech, privacy, and security.
The process used to select G Suite included a review of Google's privacy and security practices. Google provided satisfactory responses to the university's detailed inquiries and requirements about those aspects of their respective services.
- Google is considered a designated School Official as defined by the Family Educational Rights and Privacy Act (FERPA), and therefore Cornell-provided G Suite services are sanctioned for storing student data. This use is only permitted for G Suite accounts that are provisioned by Cornell using Cornell NetIDs.
- Use of Cornell-provided G Suite services for other regulated data is not sanctioned. Cornell-provided G Suite services cannot be used for Health Insurance Portability and Accountability Act (HIPAA) data, Payment Card Industry (PCI) credit card data, Gramm-Leach-Bliley Act (GLBA) financial information, Export Controls (federally restricted data that cannot be exported to other countries or be accessed by non-US persons), or data covered by the Cornell Institutional Review Board (protection of human subjects).
- Cornell faculty, staff, and students are responsible for applying the appropriate security settings to files or forms created in G Suite to prevent inadvertent sharing or data leaks.
- Cornell-provided Gmail accounts are subject to Cornell's email stewardship policy.
- Cornell faculty, staff, and student users of Cornell G Suite accounts are required to authenticate with Two-Step Login when signing in.