Policies & Guidelines

Mount Royal is going Google

Welcome to the Google Apps privacy page at Mount Royal University.

This site will give you information on Google Apps in regards to the aspects of protecting privacy under the Alberta Freedom of Information and Protection of Privacy Act.

The following links outline the benefits of using Google Apps for Education, addresses aspects of protecting privacy online, and answers frequently asked questions regarding the project.

Project Overview
Benefits of Gmail and Google Calendar
Protecting Privacy Online: Protecting Privacy on Email
Protecting Privacy Online: Protecting Privacy on Social Media
Protecting Privacy Online: Password Best Practices

MRU Best Practices - Email (Google Gmail)
MRU Best Practices - Electronic Collection/Storage/Transmissions (Google Drive/Forms/Docs)

Frequently Asked Questions about Gmail
Frequently Asked Questions about Privacy

Account Activation Information (IT)

Project Overview

Mount Royal University Information Technology Services initiated a formal review of the possibility of moving student Email to Google Gmail and Calendaring Services during the 2010-2011 academic year.

The review, performed by the MRU Google Apps steering committee which assessed various solutions, recognized that the current University student email system was outdated and that student utilization of the current system was low due to lack of both current functionality and features available in the current marketplace.

Additionally, the same review recognized the increasing trend in the post-secondary market of utilizing Google to provide post-secondary institutions with Email, calendar, and data storage services through Google Apps for Education. For example, the University of Alberta transferred their Email and calendar services to Google in 2010.

Throughout recent years, several Information Technology Services roles have transitioned into providing certain services that are often given the name utility computing.

The term utility computing refers to daily routine services that are required to operate an organization similar to providing services such as power or water. One IT service that falls in the category of a utility service is email.

When it comes to IT utility services, the University expends significant resources to provide e-mail services at the University, which diverts resources that could be utilized in other ways to advance the goals of Mount Royal University.

Currently, information regarding both the implementation of the new Google Apps email system at the University and account setup is available on the MRU Information Technology Services user adoption site for Google Apps.

A similar review concerning the implementation of Google specifically for faculty and staff will commence with the MRU Google Apps steering committee once the student migration is completed.

The following outlines the benefits of using Google Apps for Education for Students, addresses aspects of protecting privacy online, and answers frequently asked questions regarding the project.


Benefits of Gmail and Google Calendar

Gmail

Free up IT Resources

Mount Royal University Information Technology Services staff will have more time to dedicate to improving current services and investigate new initiatives that will ultimately advance the University's goals to support research, teaching, and learning.

More space for your mail

With Gmail, you have unlimited storage space. With that amount of space, you can store many years worth of Email.

Effective Organization of Email

Gmail uses labels to help you organize your messages. An Email can have several labels, so you are not forced to choose one particular folder of messages. You can also create filters to automatically manage incoming mail. Starring messages is another way you can organize your inbox. Additionally, all replies to a message are grouped together under one Conversation. If these search tools do not work, you can also use the Google search engine to search through your Email and find what you need.

The Hardware and Software are free

Mount Royal University spends a great deal of money and resources to provide an outdated Email service to students, which includes providing hardware, software, licensing, and people to administer the service. Google provides the hardware and software required to operate their Gmail and Calendar service free of charge.

Google Calendar

Share Calendars

Let your colleagues, students, classmates, or friends see your calendar, and view schedules that others have shared with you. With Google Calendar sharing, you do not have to worry about calling and/or Emailing participants numerous times to schedule an event. When you know when everyone is free of busy. You can also send invitations to your events using Google Calendar and track RSVPs by Email.

Reminders

Google Calendar has customizable reminders so you will never forget a meeting, appointment, assignment or exam. You choose to receive your event reminders via SMS messages, emails, or popups within Google Calendar itself.

Synchronize Your Life
Not only does Google Calendar help you get in sync with others, it can be synced with other computers and electronic devices. Sync with Microsoft Outlook, Apple iCal, and Mozilla Sunbird to use Google Calendar on different computers. With two-way syncing to your mobile phone's built in calendar or a mobile version of Google Calendar that is made for small screen, you can access your calendar while you are away from your desk.

Calendar Access Whenever You Need It

Google Calendar allows you to see your schedule even if you do not have access to the internet. With offline access, you can view a read-only version of your calendar no matter where you are.

Google Calendar - Included in the Google Apps Deployment

Google Calendar allows users to schedule and organize meetings between individuals according their need. Google provides this service free of charge.

Google Apps are included

Google Docs

Google Docs allows you to create documents, spreadsheets, and presentations online. With Google Docs, you can upload many popular file formats from programs like: Mircosoft Word, Mircosoft Excel and Mircosoft PowerPoint. Share your documents with others to collaborate on group projects using familiar editing toolbars. When you are finished save a copy online and/or save it to your computer.

Google Sites

Use Google sites to create a web space. Create your own site and fill in with your own content or with information from other Google applications. Features such as single-click page creation and templates in addition to an interface that allows you to edit your site as easily as editing a document prevents the need to know complicated HTML or CSS scripting. Because it is a Google application, it is easy to embed it with all sorts of rich content such as, videos, docs, spreadsheets, presentations, photo slide shows, and calendars from other Google products.

Google Talk

Email is not always the best method to communicate at all times. In certain situations the best way to communicate is in real time rather than waiting for the recipient to receive your Email the following day. Google Talk allows you to send instant messages from inside your Gmail screen. Chat with colleagues and friends in real time using Google Talk, which allows you to see when your contacts are online so you can send them a message instantly.


Protecting Privacy on Email

A common concern among individuals in regards to the use of Email is how their privacy is protected. In most cases, this concern has its basis on using one email system over another. However, in reality most of the more serious threats to your privacy stem from what sensitive information the user has decided to transmit over the internet or how the personal information is handled by the recipient.

The main tool used by organizations to protect privacy is encryption. The use of encryption is a reasonable measure often taken by organizations to ensure that information contained in your Email communication cannot be intercepted by someone eavesdropping on your online transmission. Although technologies are subject to on-going change that may result in interception despite encryption, the risk of encrypted information being intercepted while being transmitted is seen as low.

Most of the risk when it comes to Emails and protecting your privacy usually occurs when the Email is received. At the point that the Email is received, the sender has no control on how the information will be handled, accessed, or disclosed. For example, the recipient could store your Email in several ways that put your information at risk or could make multiple electronic or paper copies for distribution. Further, the recipient could decide to save the information on an insecure device such as a laptop, memory stick, or desktop computer. Many of these portable devices are susceptible to theft. Finally, the recipient may decide to forward the e-mail on to others, which may include the use of CC (Carbon Copy) or BCC (Blind Carbon Copy).

The best way to protect your privacy when it comes to the use of Email is to always consider the sensitivity of the information you are about to send online. Keep in mind that by its very nature, communicating through the internet is insecure despite any or all security protocols put in place by an organization such as encryption. A common best practice is to only include information in your mail that you would be comfortable with if the information as accessed, intercepted, or read similar to writing information on a postcard. If the information you wish to send is considered sensitive, send the information through more secure means such as addressed mail.


Protecting Privacy on Social Media

All too often, people utilize online tools and social media without taking the necessary precautions that would protect themselves from possible identity theft.

Identify theft occurs when a third party acquires portions of your personal information, which gradually allows them to impersonate your identity. For example, a perpetrator may use the personal information acquired to request a credit card in your name. The motivation behind identify theft is typically to aide with criminal activity or for personal financial gain.

Generally, individuals are usually complacent when it comes to sharing personal information online.

According to the Calgary Police Service, the following personal information can provide identity thieves enough information to steal your identity:

  • Name
  • Address
  • Date of Birth
  • Social Insurance Number or Social Security Number

Additionally, Mount Royal University Marketing & Communications provides a list of social networking guidelines.

When using online tools or social media, protect your personal information by doing the following (based on the Office of the Privacy Commissioner of Canada website):

  1. Give out as little information about you as possible
  • Keep in mind that, by its very nature, communicating through the internet is insecure and should not be automatically assumed to be private. More specifically, the use of Email presents various risks where information could be accessed despite any security protocols that are already in place by an organization such as the use of encryption.
  • Always consider the sensitivity of the information you are about to transmit through Email and other social media. A common best practice is to only include information that you would be comfortable with if the information was accessed or read, similar to writing information on a postcard.
  • If the information you plan on Emailing is deemed sensitive, consider using a more secure method to communicate the data such as addressed mail.
  • Refrain from providing information such as birth date or social insurance number if it is not, in fact, necessary.
  • One of the greatest risks to your Email's privacy concerns occurs on the receiving end, where there is little control over how the recipient handles your information. For example, the individual could forward your Email to other addresses, or send it to other people.
  • Another associated risk includes the way the recipient stores your Email such as making multiple copies or saving the information on portable storage devices that are susceptible to theft.
  • Email messages and other information transmitted through the internet are at risk of being hacked or intercepted. Many organizations take reasonable steps to prevent such incidents by using encryption, however, there is always risk due to changing technologies.
  1. Only provide sensitive personal information, such as financial information, through secure means.
  • Secure online forms will usually have a padlock icon in the bottom right corner of the screen.
  1. Be careful with what information you are sending over the web

    • Information can sometimes be intercepted by hackers through Email or through unsecure wifi connections.
    • Check that the website url address contains the acronym "https", which demonstrates the website is utilizing a secure channel.

      Hypertext Transfer Protocol Secure (https): utilizes a combination of Hypertext Transfer Protocol and Secure Sockets Layer (SSL). The use of https creates a secure channel over insecure networks. This system provides "reasonable" protection against information being intercepted through authentification processes.
  2. Protect your social insurance number

    • Social insurance numbers provide valuable information to identity thieves.
  3. Utilize online privacy controls

    • Many social media sites, such as Facebook, provide privacy controls for you to control who has access to your information. For example, in Facebook click on "edit profile" and then "privacy preferences" to adjust your privacy settings. This function can limit access to your social media postings to only the individuals you permit (rather than to everyone online).
  4. Create difficult passwords
    • Change your password on a regular basis
    • make it at least eight characters long
    • do not use complete words (as used in a dictionary)
    • do not use obvious passwords (Password, 123456, abc123,letmein)
    • do not recycle past passwords
    • always include upper/lower case, numbers, and symbols (%,$,*,@)
  5. Do not communicate with people you do not know in real life

    • Remember that the web is a public place that facilitates to people with both good and bad intentions alike.
  6. Always consider what you are posting online

    • Always be cautious regarding what you post and how much information you make public. Once information is posted publicly online it is difficult to delete.
    • Digital pictures often have electronic data embedded in the digital photograph tied to GPS called Geo tags, which reveal geographic locations.
  7. Read and understand the privacy policies

    • Most online tools and social media sites have privacy policies that are available on their websites. For example, survey monkey outlines that the company does not collect survey data from the user, but they do collect how you use their website. Become familiar and clear with how the company is using the information that is being supplied.


Password protocols - best practices

A strong password is a simple, but vital way to provide a first line of defense against unauthorized access to personal information held in electronic format.

Password protocol best practices include changing your password on a regular basis and ensuring your password:

  • is at least eight characters long
  • does not contain a complete word in a dictionary
  • is not obvious, such as a name or company name or simply "password"
  • is not similar to previous passwords (Password1, Password2)
  • contains a combination of:
  • Uppercase letters
    • Lowercase letters
    • Numerals
    • Symbols (%,$,*,@)



Frequently Asked Questions about Gmail

Q: Why is Mount Royal University moving to Google Apps/Gmail?

A: To access the most up-to-date applications; To increase memory or storage of Email/calendar data; To free up current University Information Technology Services Resources to be used on initiating new technological advances on behalf of the University community, To improve security in regards to Email services.

Q: What is the difference between the University Gmail account and a typical gmail.com account?

A: Mount Royal University has a contract with Google that upholds security and privacy. Google cannot read your e-mail or implement data mining or promote advertising. The contract also preserves @mtroyal.ca addresses.

Q: Does Google have any rights to my data?

A: No - From the contract point of view, Mount Royal University owns the data. In reality, the University is acting as the custodian for the data. The contract places the responsibility of providing technical support on the University. Google employees are only given temporary access to the account if requested by MRU IT administrator for troubleshooting purposes in exceptional circumstances.

Q: What is included with my account?

A: Unlimited storage; calendars; document editing tools, web pages; messaging, chat and video chat; group management; free phone calls in North America.

Q: I am a Faculty or Employee, when do we move to Google Apps?

A: Mount Royal University has started moving Faculty and Employees to Google. It will follow a similar process as what was completed for students.

Q: Is my data accessible to the U.S. government under the Patriot Act?

A: Yes - However, the move to Google results in no appreciable differences to what currently exists with the current Email system.

Q: Is Gmail secure?

A: Email, by its very nature, should not be regarded as a secure method of communication. However, through the University utilizing Google Apps it raises the bar for security above what it currently is on campus.

Q: I do not want to move to Gmail. What are my options?

A: Alternatively, you can forward your e-mail to an external provider. However, University policy 515-1 states that the official communication used by the University will be initially sent to your University E-mail Account, which is supplied by Google. This process provides the best way for the University to ensure communication is sent to the right person by using University authentification processes.


Frequently Asked Questions about Privacy

Q: Does the University's change to Gmail infringe on my privacy rights?

A: No - The Office of the Privacy Commissioner of Canada has reviewed similar scenarios where e-mail is provided to an organization by a US based company and has determined that there is not an automatic infringement of privacy rights. The Commissioner's findings provide a useful overview of the privacy implications where e-mail is provided by a US based company and the University encourages any interested person to review those findings.

Q: Have other Canadian Universities made the switch to Google Apps/Gmail?

A: Yes - The University of Alberta moved their Email/calendar applications to Google in 2010. Lakehead University in Ontario made the switch in 2008.

Q: Has a Privacy Impact Assessment (PIA) on the potential risks of using Gmail been completed?

A: Yes - A Privacy Impact Assessment has been completed by Mount Royal University and has been accepted by the Office of the Information and Privacy Commissioner of Alberta.

Q: Does the US Patriot Act allow the US government to access my personal information?

A: Yes - The Patriot Act allows for the US Government to access personal information that is held or accessible by anyone within the United States or any US citizen by two different methods. The first tool, which the US Government possesses, is found in Section 215 of the Patriot Act. Under this section the relevant Government agency must apply to a court for an order allowing them to access the personal information in question. The information which can be collected pursuant to this court order is very broad. The second tool, which the US Government has is found in Section 505 of the Patriot Act. It is under this section that the Government can issue National Security Letters whereby they can request that personal information be disclosed to them. The information can be accessed where it meets the following criteria: that the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. No court order is necessary for a National Security Letter to be issued; however, the type of information that is retrievable is more limited than through that available in a Section 215 (see above) order.

Q: How does the US Government's ability to access my personal information differ from the Canadian Government's ability to do so?

A: In Canada, like the United States, the Government has wide abilities to view personal information that is held in Email accounts. The Canadian Government's ability to do this is found in various pieces of Canadian legislation including the Criminal Code, the Canadian Security Intelligence Service Act, the National Defense Act, and others.

The key difference between Canada and the United States is that, in general, the Canadian legislation requires that all warrants for the seizure of personal information must be issued by a judge. However, it still remains that the application to the court for this order/warrant will be made without the knowledge of either the holder of the information or the person who is the subject of the information.

There have been a number of recent bills introduced in the Canadian House of Commons, which would increase the scope of information that is available to the Canadian Government and also decrease the number of restraints preventing the Government from accessing that information.

Should you wish to see further information regarding the Canadian system for intelligence gathering you can visit the website for The Office of the Privacy Commissioner of Canada and review a Position Statement produced by that office.

Q: Does the US Government have access to intelligence and personal information that has been collected by the Canadian Government?

A: Yes - The US and Canadian governments readily share intelligence of this nature pursuant to bilateral agreements, which have been entered into and pursuant to existing legislation which permits the sharing of information.

Q: Will my use of Gmail allow my personal information to be more readily available to the US Government?

A: The information may be physically located in the United States, which would allow the US Government to obtain direct access to that information. If the information is located in Canada, the US Government would have to approach the Canadian Government to obtain that same information.

Also, information which is held in an e-mail account has no guaranteed privacy. Any e-mail exists not only in the accounts to which it was forwarded, and likely on many servers which are situated in the United States. If an e-mail user wanted to ensure that their account was not subject to US Government surveillance they would also need to ensure that those with whom they are corresponding have also ensured that their own accounts have no US exposure.

Q: Is Google able to provide assurances to Mount Royal University and all University Gmail users that they will not release personal information to the US Government?

A: The contract with Google provides the University assurances that it will not release any personal information unless it is required to do so by law. Where possible Google will notify the University of any requests/demands for personal information. Requests/demands for personal information will often include a requirement that the holder of the information not advise any other party, other than their own legal counsel, that such a request has been made. The effect of this is that the University would have no notice of its information being accessed by the US Government.

Q: Will the use of Gmail increase the probability that my name will be added to a no fly list?

A: It is not clear how the so-called no fly list is composed and therefore the University is unable to provide any comment on how or why any one person is added to this list.