Data Protection Blunder For York University

We are currently being warned that Google Apps does not fall in line with one of the main rules of the Data Protection Act.

"Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

Google won't tell us where the data is held so this is a problem. Not sure if Live@edu would be a similar issue.

Google have some safe harbour arrangement for EU data, but I don't know what it applies to. You'll have to ask them.

For information about the Safe Harbor agreement you can see Google Apps for Education - Free Hosted Email (Gmail) for EDU , is used by the OU and a number of other HE/FE institutes, was cleared by Becta as being ok (with no disagreement from ICO) and is being used by a lot of schools.

The problem is likely not to have been with Google but with the configuration and/or use of the services ... but the investigation will show what went wrong. Most DPA breaches are to do with people making mistakes and policies not being followed, not the technology used.

Personal Information Received from the EU/EEA and/or Switzerland:
Google Inc., and other companies within the Google Inc. corporate group, collect personal information in relation to natural persons from within member states to the European Union ("EU data subjects") as result of: 1) the use and operation by Google Inc. and its group members of internet domains which are registered in member states of the European Union from which Google Inc. and its group members carry on their business and supply services to EU data subjects; and 2) the distribution, within member states of the European Union, by Google Inc. and its group members (and other third parties authorised to do so by Google Inc. and its group members) of applications and products to EU data subjects; and 3) the supply of goods and/or services to Google Inc. and its group members by companies and businesses located in member states of European Union (which may in some cases involve the supply or exchange of personal information in relation to EU data subjects). Personal information collected under (1) and (2) is held and processed by Google Inc. and its group members for differing purposes depending upon the particular service or product being provided. These purposes may include any of the following: sales and marketing to such consumers and/or businesses, contract negotiation, effecting transactions with such consumers and/or businesses, supplying services and/or products to such consumers and/or businesses, operating, developing and improving our services and products, personalising our services and products, financial processing and management, fraud detection and prevention, compliance with governmental, legislative and regulatory bodies, customer support and/or customer relationship management. Personal information collected under (3) is held and processed by Google Inc. and its group members for differing purposes depending upon the nature of the supply of goods and/or services. These purposes may include any of the following: contract negotiation, effecting transactions with such individuals and/or businesses, financial management and/or supplier relationship management, fraud detection and prevention, and compliance with governmental, legislative and regulatory bodies.
Privacy Policy Effective: 10/3/2010

doesnt the safe harbour agreement cover this? The fact that they are a US firm means they are covered, no matter where the data 'is' .... ?

Originally Posted by sipmar

We are currently being warned that Google Apps does not fall in line with one of the main rules of the Data Protection Act.

May I ask who issued said warning? As GrumbleDook and levell3r have outlined already, they are giving out incorrect information.