UC Berkeley Box and Google Data Use Agreement

Overview

As part of the Operational Excellence initiative, UC Berkeley has selected Box and Google Apps for Education (collectively referred to as “vendor services”, including bCal and bMail) to deliver collaboration, email and calendaring solutions to campus students, faculty and staff (collectively referred to as “end users”).  Collectively, these new services will provide exciting new ways for end users to easily collaborate and communicate with others.  Like any other eletronic resources on campus, end users must use vendor services in a manner that complies with campus policies. 

Appropriate Data Use

End users must use vendor services in accordance with the following policies that govern general computer use on campus:

End users must also comply with the following data use restrictions when using vendor services.

Data CategoriesPermitted on bDrive?Permitted on Box?Permitted on bMail?

Protection Level 2 Data: e.g.,

No No No
Export Controlled Data No No No
Personally Identifiable Human Subject Research Data Depends on Data Protection Level Depends on Data Protection Level Depends on Data Protection Level

Protection Level 1 Data:  e.g.,

Yes Yes Yes

Protection Level 0 Data: i.e.,

General (non-confidential) Information

Yes Yes Yes
Copyrighted Information * * *
Table 1- Data Use Restrictions.  Data classes are defined in UC Berkeley Data Classification Standard.  For data categories not defined here, see Other Data Categories below.

Violation of this Data Use Agreement or other campus policies may result in temporary or permanent restriction of access privileges to vendor services or other measures detailed in the Computer Use Policy

These restrictions on the storage and transmission of data on the vendor services have been established to protect data that can cause major financial or reputational harm to the campus if accessed without authorization. Data belonging to multiple categories must be treated according to the highest level of restriction (e.g., Student Social Security Numbers fall into both the Notice-Triggering and FERPA data categories; however, the prohibition on Notice-Triggering data supersedes the allowance of FERPA data).  

Other Data Categories

Data categories not defined in this document should be evaluated based on the same guidelines as above.  If unauthorized access to the data will cause major financial or reputational harm to the campus, DO NOT store or transmit that data on vendor services.  Please contact itpolicy@berkeley.edu if you have any questions on whether your data should or should not be stored on vendor services.

Data Risks

As part of the service rollout, the UC Berkeley project teams worked to validate that Box and Google adhere to security best practices.  However, the use of UC Berkeley Box and Google services exposes the campus to new risks due to the cloud-based service model where UC Berkeley does not own and operate the systems supporting these services.  The key risks to consider when using vendor services are:

  • Although Box and Google have a contractual commitment to access Berkeley data only to provide and improve delivery of their services to campus end users, UC Berkeley data could potentially be accessed by Box and Google employees illegitimately without prior consent.
  • Box and Google may employ foreign nationals with administrative access to the supporting systems and data hosted in the vendor services. Therefore, these vendor services may be unsuitable for data covered by export controls.
  • UC Berkeley staff have limited access to vendor services’ system audit logs and reports. Consequently, Berkeley staff may not be able to detect or respond to security breaches or other incidents occurring on the vendor services in a timely manner.

In addition, due to the collaborative features of the vendor services that allow document sharing between internal UC Berkeley users and external users not affiliated with the UC Berkeley campus, accidentally shared data may be exposed to a significant number of users and devices.  When compared with traditional collaboration tools that limit access to internal users and require manual replication of data between computing devices, these new collaboaration tools can magnify the impact and likelihood of inadvertently sharing a file or transferring data to an insecure laptop/mobile device.

Data Categories

Protected Health Information (PHI)

Federal HIPAA regulations seek to protect the privacy and security of Protected Health Information (PHI). HIPAA establishes requirements for covered entities, such as health care providers, regarding the release of PHI to nonemployee business associates. In addition to the information privacy risks outlined above, Box and Google are not contractually bound as UC business associates in the context of HIPAA; therefore, Berkeley Campus covered entities may not store PHI on the vendor services. 

PHI is individually identifiable health information that relates to 1) the past, present, or future physical or mental health, or condition of an individual; 2) the provision of health care to an individual; or 3) payment for the provision of health care to an individual.  The following list of information items can not be stored on Box or Google if the data was collected, associated with or derived from a healthcare service event (treatment, payment, operations, medical records) or if the subject/patient is to be informed of the results of a healthcare service event:

  • Names
  • All geographic subdivisions smaller than a state
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security Numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual

For more information about HIPAA, visit http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Payment Card Industry (PCI) Information

The PCI-DSS (Payment Card Industry Data Security Standard) requires entities processing credit card transactions to enforce stringent security requirements for stored credit card information.  These requirements also apply to third party service providers such as Box and Google. Cardholder data is defined to be the full magnetic stripe or the Primary Account Number (PAN) plus any of the following:

  • Cardholder name
  • Expiration date
  • Service Code

For more information about PCI, visit https://www.pcisecuritystandards.org

California State Law Notice‐Triggering Information

California law requires a business or a state agency to notify any California resident whose unencrypted personal information, as defined below, is accessed by an unauthorized person. UC Berkeley staff have limited access to audit logs and limited capability to monitor vendor security operations; therefore if a breach of UC Berkeley “notice-triggering information” occurs within vendor services, the campus would be at significant risk of being unable to obtain breach incident details to comply with state regulations.

Notice-triggering information is defined as an individual's first name or initial and last name plus any of the following:

  • Social Security Number
  • Driver's license number or California Identification Card number
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would
    permit access to an individual's financial account
  • Medical Information
  • Health Insurance Information

For more information about the specific California State Law, visit California State Senate site for full text of the bill and Department of Health Care Services for details on amendments to the original bill.

Export Controlled Data

Export control regulations such as ITAR (The International Traffic in Arms Regulations) and EAR (The Export Administration Regulation) regulate the distribution of technology, services and information to foreign nationals and foreign countries. Because vendors may employ foreign nationals, data subject to export controls must not be stored on vendor services.

For more information about export controlled data, visit http://www.ucop.edu/ethics-compliance-audit-services/compliance/international-compliance/export-laws.html

Personally Identifiable Human Subject Research Data

A Human Subject Research Data Set is a body of personally identifiable data elements collected in the course of research with living human beings.  Human Subject Research regulations require adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data to limit access from external parties, including vendor service administrators.

For more information about human subject research data, visit http://cphs.berkeley.edu/datasecurity.html, http://www.hhs.gov/ohrp/humansubjects/index.html

Student Education Records (FERPA)

Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy and security of student education records, which are defined as records maintained by UC or another group acting for UC, and include, but are not limited to: transcripts (grades), exam papers, test scores, evaluations, financial aid records and loan collection records. The law requires that student education records be shared only between the student and those who have a legitimate education-related interest as defined by the Berkeley Campus Policy Governing Disclosure of Information from Student Records.  

Student information that also meet the criteria of notice-triggering information (e.g. student SSN, financial account numbers, etc) are governed by the same restrictions as California State Law Notice‐Triggering Information.

For more information about student education records, visit http://registrar.berkeley.edu/ferpa.html

Copyrighted Information

When reproducing or distributing (including saving to vendor services and accessing or downloading) material that has been written, recorded, or designed by someone else, it is the responsibility of users to abide by copyright law. Permission from copyright holders is required when using a work in a way that infringes on the exclusive intellectual property rights granted to a copyright holder, i.e., reproducing part or all of a copyrighted work outside the boundaries of acceptable fair use.

For more information about copyrighted information, visit http://www.universityofcalifornia.edu/copyright/usingcopyrightedworks.html

Additional Resources

To help the campus protect institutional data, each user must follow appropriate file sharing procedures to prevent inappropriate sharing or transmission of sensitive data via the vendor services. Additional precautions should also be taken when synchronizing files stored on vendor services to laptops and mobile devices to protect data in the case of theft or misplacement. Please refer to the links below for information on how to use the vendor services securely and effectively:

Box

Google

If you have any questions about content of this agreement, please contact itpolicy@berkeley.edu.