Google Workspace in education

We have reached agreement with Google on a comprehensive set of contractual, organisational and technical measures concerning the use of Workspace for Education Plus and Workspace Education Fundamentals by educational institutions in the Netherlands. Given the importance of the use of Google services in educational institutions, SURF and SIVON will continue to monitor Google on behalf of the education sector.
Studente aan het werk achter computer met veel documenten en aantekeningen voor zich

Research on Google ChromeOS and Chrome browser

In July 2021, it was agreed with Google that an education-specific version will be made available for ChromeOS and Chrome browser. Institutions will thus remain in control of data when using ChromeOS and Chrome browser on student and staff Chromebooks (managed by the institution).

Read more

Google Workspace for Education support package

As we previously reported, an agreement was reached with Google on July 8 on the measures aimed at the previously identified privacy risks at Google Workspace for Education. This means that institutions can continue to use Google Workspace for Education (Plus), provided that they also take a number of actions themselves. SURF, SIVON, and Kennisnet have created a support package for this that you can now find here.

Read more

kasten met computers
online proctoring

All about DPIA Google Workspace

9 july 2021 - On July 8, an agreement was reached with Google on measures aimed at the previously identified privacy risks with Google Workspace for Education. This means that schools can continue to use Google Workspace for Education, provided they take some actions themselves.

Read more

Agreement with Google on privacy risks

8 july 2021 - After intense discussions over the last weeks, agreement has been reached with Google regarding the mitigation of high data protection risks relating to the use of Workspace for Education Plus (previously G Suite Education for Enterprise) and Workspace for Education Fundamentals (the free of charge offering, previously G Suite for Education) by educational institutions in the Netherlands that were identified during a data protection impact assessment (DPIA) carried out in 2020 – 2021.

Read more

Jongen in open bibliotheek achter computer
Videobellen in vergaderzaal

AP advice: Google Workspace in education poses too many risks

July 8, 2021 - The Dutch Personal Data Authority (Autoriteit Persoonsgegevens, AP) has stated that it is unclear whether personal data in Google Workspace (formerly Google Suite for Education) is sufficiently protected. Educational organisations are urging Google to take its social responsibility seriously in order to ensure the privacy of pupils and students and to remove the risks without delay. 

Read more

SURF and SIVON discuss privacy risks with Google

February 22, 2021 - In the education sector, personal and other privacy-sensitive data are digitally stored and exchanged at an increasing rate. It is important this is done in a safe and responsible manner. An investigation commissioned by the University of Groningen (RUG) and the Amsterdam University of Applied Sciences (HvA) has shown there are privacy risks associated with the so-called metadata Google collects.

Read more

collega aan het werk op SURF-kantoor

 

Frequently asked questions

What products does Google G Suite for Education contain and what is Google Workspace for Education?

Google G Suite for Education includes: Classroom, Meet, Gmail, Calendar, Drive, Docs, Sheets, Slides, and more. Google G Suite for Education has  recently been renamed Google Workspace for Education.

The complete list of applications: Google Classroom, Chat, Meet, Hangouts, Contacts, Tasks, Keep, Drive, Calendar, Jamboard, Sites, Forms, Sheets, Docs, Slides, Assignments, Cloud search and retrieval across services, Vault, Gmail, Cloud identity management

What do I need to do myself before my institution can use Google Workspace for Education?

Institutions must:

  1. accept the new agreement sent by Google around August 9, 2021; and
  2. implement the technical and organizational measures included in the Technical Guide, and
  3. perform an education-specific DPIA themselves. To do this, make use of The Privacy Company's DPIA Update and the Education-Specific DPIA Guide on Google Workspace for Education.

With these 3 steps, institutions determine themselves whether they can continue to use Google Workspace for Education in their own situation.

When must all steps be taken?

As soon as possible, preferably before the start of the new academic year. The Personal Data Authority has issued the opinion that institutions should consider for themselves whether to continue using Workspace for Education before the start of the new academic year.

When will I receive the new agreement for Workspace for Education from Google?

Around Monday, August 9, Google will send the contacts (administrators) of the institutions an email with the new agreement and how to accept it. You must accept it yourself. SURF and SIVON cannot do that for you.

Who should sign the new agreement?

The agreement is accepted by the institution by clicking on the relevant sections on the accept link. Since it is about accepting the new terms with Google, the authority - the director or the board of directors - must agree to accept these terms. Thus, the person clicking on the link must have the mandate to accept the terms.

Where can I find the agreement with Google?

The agreement is not online, the terms are confidential and for Workspace for Education users only. You will receive the agreement at the email address of the administrator of your Workspace account.

I have not received the new agreement from Google, what should I do?

Are you the IT administrator of Google Workspace for Education? Check your spam folder in your email to see if any mail has been sent. If the Workspace for Education environment is managed by an external vendor, they may have received the email from Google.

If you have not received an amended agreement after Friday, August 13, please complete this form. SURF and SIVON will then contact Google and ask them to send you the amended agreement.

Why does my institution also need to perform a DPIA, after all it has already been performed by SURF and SIVON?

SURF and SIVON have had a general DPIA performed on Workspace for Education (Plus) by Privacy Company. SURF and SIVON are not themselves users of Workspace for Education; that is your institution. It is therefore up to you to determine whether, and which of the outcomes of SURF and SIVON's DPIA apply to your situation. According to the Dutch Data Protection Authority, institutions still need to determine for themselves whether the agreements and measures made with Google are sufficient to implement the protection of personal data in accordance with the AVG. It is also possible that there are additional risks at institutions that are not included in the SURF and SIVON DPIA.

Is it necessary for me to implement all of the technical measures included in the manual?

In March 2021, 8 high privacy risks were identified for users of Workspace for Education (Plus). SURF and SIVON have reached agreements with Google to mitigate these risks. In order to mitigate all high risks, the new agreement with Google must be accepted and the technical measures described in the Technical Guide executed. If these steps are not all implemented, then the institution must determine for itself whether the 8 high privacy risks have been sufficiently mitigated. 

Workspace for Education is managed at our institution by an outside vendor who is also our administrator (system administrator). Does our vendor agree to the new agreement with Google?

No, a supplier can never agree to new terms for you with Google. You must decide for yourself whether to agree to the new terms. Your vendor or third-party system administrator must discuss with you in advance whether you agree to accept the new terms. Then the supplier or external system administrator can accept the terms on your behalf.

Your supplier cannot agree with you in advance that you accept the terms, you must review the modified terms yourself before agreeing to accept the terms.

Can I share the technical measures manual with my vendor who manages our Workspace environment?

Yes, you can. Kennisnet itself will also proactively inform the largest suppliers of the technical measures to be taken.

When will a new version of Chrome browser be available where Google acts as data processor instead of data controller?

This is not yet known. To comply with all the new privacy agreements, Google must make adjustments to its products. This will take some time. SIVON will continue to talk to Google about the progress and will communicate further about this as soon as possible.

In the meantime, can I continue to use the additional Google services that you are going to agree on?

It is difficult to answer that in this broad sense. The agreements with Google are primarily about the use of Workspace for Education (Plus). In addition, there are recommendations and technical measures for the use of Google's additional services. We will naturally provide information as quickly as possible about the services that fall outside the agreements. Ultimately, it is up to you as an institution to make your own decision on this.

What do these agreements mean for the use of Google Chromebooks?

The specific agreements apply in principle only to Workspace for Education (Plus). Google does commit to continuing to work with SURF and SIVON on the topic of Chromebooks as well. In addition, Google promises to become a processor for ChromeOS. We will provide you with information to already set up Chromebooks in the most privacy-friendly way possible, for example by reporting which technical measures can be taken now. We cannot give a definitive answer about the use of Chromebooks until discussions with Google are complete about the DPIA currently being conducted on Chrome/ChromeOS.

What happens if I have not made the adjustments before the start of the new academic year? Will I then receive a fine from the AP?

The AP is not expected to impose a fine immediately at the start of the new college year. The modus operandi is that the AP will start an investigation if they have received a complaint from, for example, a concerned parent. That investigation will take some time and then the AP will look at this specific case and if they see reason they will start enforcing. So our advice is not to wait too long to implement the changes.

Are the negotiations now finished or are you going to have further discussions with Google?

We remain in constant dialogue with Google. The focus recently was mainly on the outcomes of the DPIA on Workspace and the advice of the AP. We will continue to discuss other Google services and products such as Additional Service, ChromeOS and Google Cloud Platform. In addition, we will monitor the technical improvements that Google must implement on Workspace to judge that they are completed in a timely and sufficient manner.

 

Questions about the DPIA on Google

What is a DPIA?

DPIA stands for Data Protection Impact Assessment. A DPIA provides insight into how data is collected, what is done with it and what the risks are, so that measures can then be taken to reduce the risks. More information? Read more about DPIAs on the IBP Approach of Kennisnet.

Why has a DPIA on Google been done?

The DPIA was done to identify the privacy risks of Google G Suite for Education for use by educational institutions. This allows us to identify what measures can be taken to mitigate those risks.

What are the outcomes of the DPIA?

The DPIAs conducted show that there are privacy risks when using Google G Suite (Enterprise) for Education. Google has therefore amended the privacy conditions on a number of points. However, risks still remain.

The DPIA also revealed that so-called metadata is being collected. Metadata remotely measures whether and how a user uses the programs. This data is sent to the supplier of the software. It is, for example, the moment of login by users, which sites are visited, how long they work on a document or how many words are typed.

Google continues to see itself as a data controller of some of the data collected rather than a processor. This means that Google thinks they are allowed to determine for what purpose they collect this metadata and in what way. Google is not sufficiently transparent about this. As a result, educational institutions that use Google G Suite (Enterprise) for Education have no or insufficient control over Google's use of this data.

Why is the DPIA in English?

The DPIA is in English because the working language within Google is English. The results should also be clear to them and not be misinterpreted or translated.

 

Questions for SURF members 

How do I know whether my institution has purchased the Google G Suite for Education via SURF?

SURF has not had an agreement with Google for years. Only since very recently, there is the possibility to purchase G Suite via OCRE. Institutions have not yet made use of this option.

If my institution still has a direct contract with Google for this service, can SURF take over this contract and ensure the DPIA requirements are met?

That depends on your institution's current agreements with Google. We are not in a position to make general assumptions about individual situations. Please contact your SURF relationship manager if you have any questions.

What is the impact of the DPIA on other Google services currently on offer through OCRE?

The DPIA that is completed, was specifically aimed at G Suite. Other Google solutions have not been tested at this point. As such, we cannot (yet) state with certainty whether these solutions comply or not. It is up to the institution to weigh up the pros and cons of their use and, above all, to consult their Data Protection Officer (FG). We do advise to proceed with caution when entering into new contracts.

Within my institution we cannot simply switch to another service; what does SURF advise for these situations?

Currently, there is a problem that needs to be solved, and we assume Google will make the necessary adjustments to resolved these problems. The current situation does not mean the education sector should stop using Google G Suite immediately or all together, especially if they depend on it for the continuity of their education. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has been asked to provide advice on this, and talks with Google about their policy are ongoing. We advise institutions considering using Google to take the results of this DPIA into account when making decisions.

Do these privacy risks also apply to Microsoft/O365?

Similar DPIAs have been carried out for Microsoft products and services two years ago. As a result, at the time, additional arrangements have been made with Microsoft. The final conclusion of these DPIAs was that the use of Microsoft products does not involve high risks, provided that the customer takes a number of measures.

I have a question or comment I do not wish to discuss publicly. Who should I contact?

If your question is not answered on this page, please contact your SURF relationship manager.

SURF does not offer a contract with Google. Why is SURF involved in this?

At the request of the Amsterdam University of Applied Sciences (HvA) and the University of Groningen (RUG), SURF has been involved in this process since May 2020. SURF has been involved as this matter is of great importance to a number of its members, and to the Dutch education sector as a whole. SURF (on behalf of higher and vocational educational institutions) and SIVON (on behalf of the primary and secondary education sectors) are in discussions with Google on behalf of the education sector in order to ensure Google eliminates the privacy risks.

Nanja Nouwen

Ask me your questions about the organisation and management of SURF.
Telephone number
Nanja Nouwen