Google Mail and Calendar at U-M and Inbox by GMail

Key: Permission Levels

  • Permitted
  • Permitted with Information Assurance (IA) Consultation
  • Not Permitted

For IA consultation, please contact the ITS Service Center

You are responsible for ensuring that your use of this service complies with laws, regulations, and policies where applicable. See Compliance below for details.

Permitted

Permitted with IA Consultation

Not Permitted

Service Description 

Google Mail and Calendar at U-M, as well as Inbox by GMail, are Core Services within the Google Apps for Education software provided to eligible members of the university community. (Michigan Medicine staff, medical students, and some others use an alternative mail and calendar system.)

Compliance 

As Core Services, Google Mail and Calendar at U-M, as well as Inbox by GMail, are covered by the university’s Google Apps for Education agreement. These services provide secure environments for maintaining or sharing the university's sensitive unregulated data, as well as some kinds of sensitive regulated data.

Social Security numbers should generally not be sent through email. Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use SSNs, it is preferred that you use institutional resources designed to house this data, such as the Data Warehouse. Information Assurance (IA) can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those alternatives will not work for you. (Contact IA via the ITS Service Center.)

Google Mail and Calendar at U-M, as well as Inbox by GMail, may not be used for

  • Protected Health Information (regulated by HIPAA) (because Google has declined to sign the necessary contractual agreement)
  • Student Loan Application Information (regulated by GLBA)
  • Payment Card Industry (PCI) information
  • Sensitive Identifiable Human Subject Research
  • Export Controlled Research (regulated by ITAR or EAR)

These data restrictions are compliance-based, not security-based. Regulatory requirements mandate that specific sensitive regulated data be restricted from this service, even though the service is secure. It may not be used for Protected Health Information because Google has not signed the necessary Business Associate Agreement mandated by HIPAA. Google may not be used for Export Controlled Research data because Google cannot ensure that only U.S. persons have access to or maintain its systems, and may store the data in data centers outside the U.S.