UPDATE: See my more recent blog post if you’re looking for my supplement materials (to the Ryerson Google site) on sync’ing Google Apps.
I attended a session to address concerns with privacy and security concerns in adopting Google apps at the university. Half of the session was actually a general how to protect your own information and your responsibilities as a user. I’ll focus more on the project itself than the second half since there’s a ton of resources about protecting your information already out there.
For the implementation, Sada Systems will be dealing with the actual implementation and migration. Roll out will be done in stages starting with the first four, and the rest will have to go through the evaluation process first.
- app engine
- Faculty and students will have an opt-in option for mail.
- Staff, however, will be migrated (i.e. not optional).
- Everyone will be moved to calendar in order to be rid of Groupwise (yay!).
- Everyone will still keep their @ryerson.ca so there is no change in the email address itself.
Timeline & Next Steps
In a nutshell, there is none, and that’s because the legal agreement hasn’t actually been signed yet.
Once it does get signed, then alpha testing will be done with the CCS group (central IT) and then beta testing with a larger community group. They’re still hoping for a fall rollout though.
Most privacy and security concerns revolved around lawful access and warrantless searches with storing data in the US. It was explained that basically, it doesn’t make a difference. Canada has similar legislation and the Mutual Legal Assistance Treaties (with many countries) is a binding agreement to share information under lawful access or warrantless searches, which means the same thing will happen if your data is stored in any of the countries part of the agreement.
Privacy & Data Protection
To alleviate some concerns, the organizing group assured everyone that a Privacy Impact Assessment is done using the international standard, Privacy in Design and ensures that there are no breaches to:
- Ontario Freedom of Information and Protection of Privacy Act
- Ryerson Information Protection and Access Policy
- Execution of Contracts and Documents and Signing Approval Authority Schedule
- all incoming mail goes through the university servers first
- not opting in means that email stays on the university servers
- opting in means the emails are then sent and stored on Google servers
- students emails will not be visible in the global (internal?) address list
- minimum identifying information (username, name) is used for authentication
- drives/docs is private by default
- calendars display only free/busy by default (as in Groupwise right now)
As I mentioned, in the second half of the presentation, we were all reminded that most email/information/data breaches are due to users, not email systems or hardware, and that email is not secure (although they’re looking into encryption for sensitive information). We got the usual spiel on our responsibilities not to include sensitive information in emails, having secure passwords, being careful of phishing, making sure websites use https, etc.
We’ll see how quickly they get things going, but I’m sure many staff will be happy to get rid of Groupwise (which likes to crash at least a couple of times a week and cancels shut down) at the very least.
For more updates, there is a dedicated blog for project updates.