Google Drive (part of Google Apps for Education provided by SDSU to staff and faculty) can be used to store non-sensitive and some sensitive data as outlined below. Your SDSU Google Drive account is maintained with good privacy protections by the SDSU Enterprise Technology Services. This allows some, but not all, sensitive data to be stored in your Drive storage space. Faculty and staff at SDSU have unlimited storage, but it is important to be careful about what you store and how you set up your files. Information on setting up a Shared Drive can be found here.
Keep in mind that only your SDSU Google Drive should be used for storing data. This is the Google Drive that you log into with your vcu.edu email address. Be careful not to store sensitive information of any kind on a free (gmail.com) Drive account, which has different privacy and security policies.
Google Drive can be used to store most data. In some cases, you will need to set up your folders according to the instructions in the next section to keep your data secure. Controlling and monitoring your sharing access is key to the proper use of campus Google Drive for data storage.
Data that can be stored in Google Drive: First name, init/Last name, FERPA directory information, Employee/Personnel Records, University Financial Records, Contracts/Grants info, Information under NDA, Investigative/Court Information, Protected Research/Intellectual Information, Information belonging to federal government with sensitivity rating of low (FISMA low), copyrighted protected information
Data that can be stored in Google Drive with proper sharing and access control: SSN, FERPA Non-directory information, Driver’s License or State Issued ID, Criminal Justice Information, Financial Aid Information, Donor information, PII of Children Under 13, PPRA regulated information, PII of EU Citizens, Authentication (Log-in) Credentials (if encrypted)
Data that needs assessment/approval and proper sharing and access control: Medical/Mental History, Medical Treatment or Diagnoses Information, Health Insurance Policy numbers, HIPAA PHI (ACE/from Covered Entities), Identifiable genetic information
Data that can not be stored in Google Drive: Credit/Debit Card info, dbGaP data, The Cancer Genome Atlas (TCGA) data, Information belonging to federal government with sensitivity rating of moderate or high (FISMA, Moderate+High), Export Controlled Information
If you are happy with the way you organize your physical records, you can use the same structure in your Google Drive. You might want to add a ReadMe Document to your folders to clarify what information is in that folder. This is especially helpful for spreadsheets, where a readme file can be used to define what is being recorded in the various rows and columns.
If you need to find another method of organization, one way is to create folders for each Project, then another level of folders for the types of experiments, surveys, and data collection you do.
The important thing to remember when you create folders and documents that will be shared with collaborators (see this page for information on setting up a Shared Drive), be they students, technicians, or other faculty. Do not share openly with a link. Instead, use the Advanced sharing to be sure that you are the final authority on who does and does not have access, and which collaborators can change the data.
You must make sure you, as the owner, are the only one who can share or delete the documents. You can limit the ability of editors to share documents by changing the Sharing settings. At the bottom of the Sharing settings window there will be a checkbox to prevent editors from changing access. Check this box; it is essential that you maintain control over who has access to the data. You can also change what collaborators can do, if you need to let others see the data but prevent them from making changes to your data.
In long projects with changing teams, you should also review permissions each semester and remove access from team members who are no longer on the project. Reviewing project security regularly is a best practice for protecting your data.
