Data Security

Best Practices  for Data Security in Google Apps for Education

As the San Francisco Unified School District transitions to the Google Apps for Education platform, now is a great time to review the correct handling of sensitive electronic information.  The information provided below provides guidance regarding the appropriate use of confidential, private, and sensitive data using Google Apps for Education.


Appropriate Use of Email and Cloud Storage

The San Francisco Unified School District approved Google Apps for Education services are available to conduct District business that is aligned with your role at the District, provided that you do so in accordance with all of the District’s  guidelines.


By its nature, email is an unsecured medium for sharing sensitive information. The San Francisco Unified School District has enabled data encryption in transit for all email going to or being read via the Google Apps for Education service.  However, you cannot guarantee that the recipient’s email service is retrieving the information via a secure channel.  Thus, it can be helpful to think of email as sending a postcard, so you should never include Social Security numbers, credit card numbers, driver’s licenses, internal security measures, or other sensitive information in an email message.  


At a minimum, if a document contains information that should not be shared and is to be attached to an email message, then that document should be encrypted before being attached. The latest versions of Microsoft Word and Excel can easily encrypt documents using a password, and new versions of Adobe Acrobat can encrypt PDF files.  A better alternative for sharing sensitive information is to provide a link to a document on a secure server that only authorized users have access to; using the District’s attachment server is an option  (attachments.cityofboston.gov), although sensitive documents should be encrypted before being uploaded to the attachment server.    


As noted below, there are some types of information that should never be stored, shared, or transferred via Google Apps for Education or any other email or cloud storage system unless specifically approved by the San Francisco Unified School District for such use.


Personal Information

Personal information contained in both paper and electronic records is protected information and must be safeguarded.  Personal information includes a person’s first name or first initial and last name, in combination with any of the following:


Social Security Number;

State ID number or driver’s license number; or

Financial Account Number or credit or debit card number


Users should not store, share, or transmit any of this information utilizing Google Apps for Education.  


Financial Information

The San Francisco Unified School District has a duty to safeguard certain nonpublic, personally identifiable financial information.   The District must protect debit and credit card data, bank account information, and related account information.  Examples include information provided on an application for credit, credit card numbers and bank account numbers. In order to continue to safeguard and protect personal nonpublic financial information, users should not utilize Google Apps for Education to store, share, or transmit any form of financial account or credit card information.


Health Insurance Portability and Protection Act (HIPAA)

Individually identifiable health information is legally protected by Federal HIPAA privacy and security laws as well as California laws related to medical record confidentiality.  There may be HIPAA implications from the transfer or receipt of protected health information (“PHI”).  HIPAA protections are subject to only a limited number of exceptions. Google Apps for Education should not be used to store or transmit protected health information.


Fingerprint Clearance

Electronic fingerprint clearance and background check records are confidential and must be password protected and encrypted and shall not be stored using public cloud storage methods.  Google Apps for Education should not be used to store or transmit fingerprint or background check records.


Compliance

The San Francisco Unified School District’s implementation of Google Apps for Education for Government is a San Francisco Unified School District resource provided to District employees.  All District policies apply, including the District’s Information Technology Acceptable Use Policy located on the SFUSD website.  Following the procedures outlined here will reduce potential liability for the San Francisco Unified School District and protect private information.