3. Why?
• Poor student email service • Mobile strategy
• Email servers getting old • Concentrate on added
• Quick wins (timetable) value
• Calendar product not • Pace of Innovation
supported • Carbon footprint
• Improved service
4. How
• Students – normal governance
• Decision May 2009
• Implementation August 2009
• Staff – approval of UEB
• Implemented email during
2011
• Calendar August 2011
5. Implementation
• Open & transparent
• Engage user community
• No big deal
• Risks identified
– Charging
– Resistance to change
– Volatility of development
– Impact on skills
6. Email
• Tools provided by Google
• All mail migrated
• Student
– Migration of existing mail
– Friendly email aliases
• Staff
– Users can continue to use client
– IT Support staff early adoptors.
– Support Staff in Departments, personal service
– Feedback sessions after dept is complete.
7. Calendar
• Students
– Population of Calendars with
timetables
• Staff
– Big Bang approach needed
– Data Migration out-sourced
– Users used to Oracle Calendar
– Major business change involved
8. Issues
• Disruptive technology
• Integration
• Training for different communities of users
• Benefits
• Other “Core Apps” - Docs, Sites, Groups, Labs
• Client configuration
• Google changing things
27. “After careful assessment of Google Apps for
Education against UK Data Protection Law and
the University’s own privacy policies the
University is satisfied that personal data is being
processed appropriately”
29. The University has a modified contract with
Google, based on Google’s standard terms and
conditions.
Google have agreed to only process personal data in
accordance with the standards set out by the EU
directive on data protection.
The University has assessed the risk in relation to the
US Patriot Act is satisfied that the increased risk
presented by this is very small and is manageable.
31. Export Control
• Technical information covered by
UK export law
• Legal advice
The use of Google mail … would not
in itself qualify as exporting data.
• Data transmitted by email can pass
through national boundaries
regardless of destination
• Therefore, although the risk is very
low …… careful consideration should
always be given as to how
controlled technology is transmitted
and where it is stored.
38. Thank you
c.sexton@sheffield.ac.uk
http://cicsdir.blogspot.com/
@cloggingchris
Notes de l'éditeur
WhyWhatHow Issues, including data security and privacy
Improved service egfilestore
Paper to UEB was two sides of A4
Changed name of project from “Next Generation email & Calendar” to ”Google Apps”Paper to UEB was 2 sidesResistance to change risk had security behind it
Good quality comms neededAbout 200 Users a night is viable
Disruptive technology - what do you do with all the existing stuffIntegration with your stuffTraining for different communities of usersMaking sure you get the benefitsWhat to do about other “Core Apps” - Docs, Sites, Groups, LabsIMAP access to mail
Built own servers and netorksAll designed with failure in mind
Back up
Can afford to spend more than us on security. In fact, more than most governements.
The contract specifies how and where different types of data will be held and processed by Google.The contract specifies that both Google and the University must abide by a comprehensive Privacy Policy.The contract has specific clauses that cover when and how data will be processed and the retention periods for data.The contract and Privacy Policy are clear that data will not be shared with third parties except where required to do so by lawGoogle adheres to the United States Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program. The US Patriot Act has strict legal processes that must be followed, and Google make it clear in their Privacy Policy that they will only respond to lawful requests where there is evidence that the correct processes have been followed.
As you know, our stance is that we adhere to the principles of the European Directive on Data Protection through participation in Safe Harbor. We don't disclose where our Data Centres are and the EU Directive does not require that we do so. What's important is knowing whether the Data Processor takes appropriate measures to protect data - which of course we do.And, in case you're asked, we do not commit to maintaining data in the US/EU but we do commit to maintaining Safe Harbor compliance during the Term of the Agreement.EUData Protection Directive, which sets comparatively strict privacy protections for EU citizens. It prohibits European firms from transferring personal data to overseas jurisdictions with weaker privacy laws, but creates exceptions where the overseas recipients have voluntarily agreed to meet EU standards under the Directive's Safe Harbor Principles.These principles must provide:Notice - Individuals must be informed that their data is being collected and about how it will be used.Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.Security - Reasonable efforts must be made to prevent loss of collected information.Data Integrity - Data must be relevant and reliable for the purpose it was collected for.Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.Enforcement - There must be effective means of enforcing these rules.
A small number of researchers in the University handle technical information that is covered by UK export law (this is usually, but not limited to, defence related technologies). As the data in Google Apps for Education may be held on servers outside of the UK, the University has obtained legal advice on the specific matter of technical information controlled by export law:The use of Google mail to send, receive or store emails that contain information controlled by export law would not in itself qualify as exporting data. For example if both the sender and recipient are in the UK.The use of any mail system to send, receive or store emails that contain information controlled by export law to those outside of the UK would qualify as exporting data.Data transmitted by email can pass through national boundaries regardless of destination and can also be accidentally forwarded to unintended recipients. Data stored in Google Apps for Education could in theory be made available to US law enforcement agencies. Therefore, although the risk is very low, and as should be the case anyway, careful consideration should always be given as to how controlled technology is transmitted and where it is stored.
The New Privacy Policies only affect users of our Consumer Services. It does not affect the standard, core Google Apps for Education ToS, which are governed by the Google Apps for Education Agreement that the institution accepts (either online or offline). However, if you provision any of the Consumer Services (Google+, Picassa, YouTube, etc.) through the Apps for EDU Control Panel, users of those services will be presented with the Consumer Terms and those terms and the new Privacy Policies will govern the use of those products/services.
One potential answer to the “what can we stop doing?” question.
YHMAN regional facility based on VMWAre. Community Cloud. Currently sheffield, leedsleeds metPrivate network with virtual security.IaaS.Pathfinder project.Back up, business continuity, temporary capacity.