Research on Google ChromeOS and Chrome browser
In July 2021, it was agreed with Google that an education-specific version will be made available for ChromeOS and Chrome browser. Institutions will thus remain in control of data when using ChromeOS and Chrome browser on student and staff Chromebooks (managed by the institution).
Google Workspace for Education support package
As we previously reported, an agreement was reached with Google on July 8 on the measures aimed at the previously identified privacy risks at Google Workspace for Education. This means that institutions can continue to use Google Workspace for Education (Plus), provided that they also take a number of actions themselves. SURF, SIVON, and Kennisnet have created a support package for this that you can now find here.
All about DPIA Google Workspace
9 july 2021 - On July 8, an agreement was reached with Google on measures aimed at the previously identified privacy risks with Google Workspace for Education. This means that schools can continue to use Google Workspace for Education, provided they take some actions themselves.
Agreement with Google on privacy risks
8 july 2021 - After intense discussions over the last weeks, agreement has been reached with Google regarding the mitigation of high data protection risks relating to the use of Workspace for Education Plus (previously G Suite Education for Enterprise) and Workspace for Education Fundamentals (the free of charge offering, previously G Suite for Education) by educational institutions in the Netherlands that were identified during a data protection impact assessment (DPIA) carried out in 2020 – 2021.
AP advice: Google Workspace in education poses too many risks
July 8, 2021 - The Dutch Personal Data Authority (Autoriteit Persoonsgegevens, AP) has stated that it is unclear whether personal data in Google Workspace (formerly Google Suite for Education) is sufficiently protected. Educational organisations are urging Google to take its social responsibility seriously in order to ensure the privacy of pupils and students and to remove the risks without delay.
SURF and SIVON discuss privacy risks with Google
February 22, 2021 - In the education sector, personal and other privacy-sensitive data are digitally stored and exchanged at an increasing rate. It is important this is done in a safe and responsible manner. An investigation commissioned by the University of Groningen (RUG) and the Amsterdam University of Applied Sciences (HvA) has shown there are privacy risks associated with the so-called metadata Google collects.
Frequently asked questions
Google G Suite for Education includes: Classroom, Meet, Gmail, Calendar, Drive, Docs, Sheets, Slides, and more. Google G Suite for Education has recently been renamed Google Workspace for Education.
The complete list of applications: Google Classroom, Chat, Meet, Hangouts, Contacts, Tasks, Keep, Drive, Calendar, Jamboard, Sites, Forms, Sheets, Docs, Slides, Assignments, Cloud search and retrieval across services, Vault, Gmail, Cloud identity management
- accept the new agreement sent by Google around August 9, 2021; and
- implement the technical and organizational measures included in the Technical Guide, and
- perform an education-specific DPIA themselves. To do this, make use of The Privacy Company's DPIA Update and the Education-Specific DPIA Guide on Google Workspace for Education.
With these 3 steps, institutions determine themselves whether they can continue to use Google Workspace for Education in their own situation.
As soon as possible, preferably before the start of the new academic year. The Personal Data Authority has issued the opinion that institutions should consider for themselves whether to continue using Workspace for Education before the start of the new academic year.
Around Monday, August 9, Google will send the contacts (administrators) of the institutions an email with the new agreement and how to accept it. You must accept it yourself. SURF and SIVON cannot do that for you.
The agreement is accepted by the institution by clicking on the relevant sections on the accept link. Since it is about accepting the new terms with Google, the authority - the director or the board of directors - must agree to accept these terms. Thus, the person clicking on the link must have the mandate to accept the terms.
The agreement is not online, the terms are confidential and for Workspace for Education users only. You will receive the agreement at the email address of the administrator of your Workspace account.
Are you the IT administrator of Google Workspace for Education? Check your spam folder in your email to see if any mail has been sent. If the Workspace for Education environment is managed by an external vendor, they may have received the email from Google.
If you have not received an amended agreement after Friday, August 13, please complete this form. SURF and SIVON will then contact Google and ask them to send you the amended agreement.
SURF and SIVON have had a general DPIA performed on Workspace for Education (Plus) by Privacy Company. SURF and SIVON are not themselves users of Workspace for Education; that is your institution. It is therefore up to you to determine whether, and which of the outcomes of SURF and SIVON's DPIA apply to your situation. According to the Dutch Data Protection Authority, institutions still need to determine for themselves whether the agreements and measures made with Google are sufficient to implement the protection of personal data in accordance with the AVG. It is also possible that there are additional risks at institutions that are not included in the SURF and SIVON DPIA.
In March 2021, 8 high privacy risks were identified for users of Workspace for Education (Plus). SURF and SIVON have reached agreements with Google to mitigate these risks. In order to mitigate all high risks, the new agreement with Google must be accepted and the technical measures described in the Technical Guide executed. If these steps are not all implemented, then the institution must determine for itself whether the 8 high privacy risks have been sufficiently mitigated.
No, a supplier can never agree to new terms for you with Google. You must decide for yourself whether to agree to the new terms. Your vendor or third-party system administrator must discuss with you in advance whether you agree to accept the new terms. Then the supplier or external system administrator can accept the terms on your behalf.
Your supplier cannot agree with you in advance that you accept the terms, you must review the modified terms yourself before agreeing to accept the terms.
Yes, you can. Kennisnet itself will also proactively inform the largest suppliers of the technical measures to be taken.
This is not yet known. To comply with all the new privacy agreements, Google must make adjustments to its products. This will take some time. SIVON will continue to talk to Google about the progress and will communicate further about this as soon as possible.
It is difficult to answer that in this broad sense. The agreements with Google are primarily about the use of Workspace for Education (Plus). In addition, there are recommendations and technical measures for the use of Google's additional services. We will naturally provide information as quickly as possible about the services that fall outside the agreements. Ultimately, it is up to you as an institution to make your own decision on this.
The specific agreements apply in principle only to Workspace for Education (Plus). Google does commit to continuing to work with SURF and SIVON on the topic of Chromebooks as well. In addition, Google promises to become a processor for ChromeOS. We will provide you with information to already set up Chromebooks in the most privacy-friendly way possible, for example by reporting which technical measures can be taken now. We cannot give a definitive answer about the use of Chromebooks until discussions with Google are complete about the DPIA currently being conducted on Chrome/ChromeOS.
The AP is not expected to impose a fine immediately at the start of the new college year. The modus operandi is that the AP will start an investigation if they have received a complaint from, for example, a concerned parent. That investigation will take some time and then the AP will look at this specific case and if they see reason they will start enforcing. So our advice is not to wait too long to implement the changes.
We remain in constant dialogue with Google. The focus recently was mainly on the outcomes of the DPIA on Workspace and the advice of the AP. We will continue to discuss other Google services and products such as Additional Service, ChromeOS and Google Cloud Platform. In addition, we will monitor the technical improvements that Google must implement on Workspace to judge that they are completed in a timely and sufficient manner.
Questions about the DPIA on Google
DPIA stands for Data Protection Impact Assessment. A DPIA provides insight into how data is collected, what is done with it and what the risks are, so that measures can then be taken to reduce the risks. More information? Read more about DPIAs on the IBP Approach of Kennisnet.
The DPIA was done to identify the privacy risks of Google G Suite for Education for use by educational institutions. This allows us to identify what measures can be taken to mitigate those risks.
The DPIAs conducted show that there are privacy risks when using Google G Suite (Enterprise) for Education. Google has therefore amended the privacy conditions on a number of points. However, risks still remain.
The DPIA also revealed that so-called metadata is being collected. Metadata remotely measures whether and how a user uses the programs. This data is sent to the supplier of the software. It is, for example, the moment of login by users, which sites are visited, how long they work on a document or how many words are typed.
Google continues to see itself as a data controller of some of the data collected rather than a processor. This means that Google thinks they are allowed to determine for what purpose they collect this metadata and in what way. Google is not sufficiently transparent about this. As a result, educational institutions that use Google G Suite (Enterprise) for Education have no or insufficient control over Google's use of this data.
The DPIA is in English because the working language within Google is English. The results should also be clear to them and not be misinterpreted or translated.
Questions for SURF members
SURF has not had an agreement with Google for years. Only since very recently, there is the possibility to purchase G Suite via OCRE. Institutions have not yet made use of this option.
That depends on your institution's current agreements with Google. We are not in a position to make general assumptions about individual situations. Please contact your SURF relationship manager if you have any questions.
The DPIA that is completed, was specifically aimed at G Suite. Other Google solutions have not been tested at this point. As such, we cannot (yet) state with certainty whether these solutions comply or not. It is up to the institution to weigh up the pros and cons of their use and, above all, to consult their Data Protection Officer (FG). We do advise to proceed with caution when entering into new contracts.
Currently, there is a problem that needs to be solved, and we assume Google will make the necessary adjustments to resolved these problems. The current situation does not mean the education sector should stop using Google G Suite immediately or all together, especially if they depend on it for the continuity of their education. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has been asked to provide advice on this, and talks with Google about their policy are ongoing. We advise institutions considering using Google to take the results of this DPIA into account when making decisions.
Similar DPIAs have been carried out for Microsoft products and services two years ago. As a result, at the time, additional arrangements have been made with Microsoft. The final conclusion of these DPIAs was that the use of Microsoft products does not involve high risks, provided that the customer takes a number of measures.
If your question is not answered on this page, please contact your SURF relationship manager.
At the request of the Amsterdam University of Applied Sciences (HvA) and the University of Groningen (RUG), SURF has been involved in this process since May 2020. SURF has been involved as this matter is of great importance to a number of its members, and to the Dutch education sector as a whole. SURF (on behalf of higher and vocational educational institutions) and SIVON (on behalf of the primary and secondary education sectors) are in discussions with Google on behalf of the education sector in order to ensure Google eliminates the privacy risks.