Google Drive and Microsoft OneDrive: Sharing Sensitive Information

Overview

UT has contracts in place with Microsoft OneDrive and Google Drive. University usage policies for these solutions are online (MicrosoftGoogle). OIT provides full support for OneDrive and Google Drive. 

The University does not have approved terms and conditions for other popular Cloud-based file storage solutions such as Dropbox or Box. These solutions should not be used for official University business.

Types of Information

There are four types of information that we are concerned about:

  • FERPA - The Family Educational Rights and Privacy Act is a Federal law that protects the privacy of student education records. More Information.
  • Payment Card Industry (PCI) - Financial and credit card information follows guidelines for the Payment Card Industry (PCI). Payment Card Industry (PCI) standards
  • PII - Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
  • HIPAA/PHI - The Health Insurance Portability and Accountability Act of 1996 protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI). Health Insurance Portability and Accountability Act (HIPAA)

Federal restrictions govern how we handle these types of information.

  • The most restrictive guidelines are the HIPAA and PCI standards. HIPAA guidelines dictate that information classified as PHI or HIPAA information must be transmitted in an encrypted form AND stored in an encrypted format. Likewise, for PCI data - credit card information.
  • FERPA guidelines (education records) do not specify encryption, but the recommendation is to make every effort to protect the information.

OneDrive and Google Drive Comparison

 

OneDrive

Google Drive

Quota

Faculty, Staff, and Students: 5 TB Individual

Other accounts: 100 GB Individual

25 TB Teams

Faculty, Staff, and Graduate Students: 1 TB
Undergraduate Students: 100 GB

Team/Groups

Yes

Yes

Sync Client

Yes, including Groups and Teams

Yes, including Shared Drives

File Sharing

Yes

Yes

Certified – FERPA

Yes

Yes

Certified – PII

Yes

Yes

Certified – HIPAA/PHI

Yes

Yes

Certified - PCI Yes Yes

Recycle Bin/Trash

90 days

30 days

Encrypted at Rest

Y

Y

Encrypted in Transit

Y

Y

T-Storage

T-Storage provides a central location for users and departments to store files and is available to all Knoxville faculty, staff, and students. The quota for personal home areas is 1 GB and the quota for departmental shares is 200 GB/user.  Files are backed up and retained for up to 90 days.  Details for hourly, daily, and monthly back-ups are available on the OIT T-Storage website. T-Storage data is not Encrypted at Rest or In Transit.

Email

If you prefer to share sensitive information through email, you have two options.  

  1. UT Vault is a secure file transfer service that allows you to send large files quickly and securely. (Encrypted at rest and in transit)
  2. Microsoft 365 Email Encryption.   When sending an email from Office 365, type the word 'encrypt' in the subject line to encrypt your message. (Certified for HIPAA/PHI, PCI, PII, and FERPA)

Storing Sensitive Information

If staff routinely process or store ANY sensitive information (other than their personal information) on their workstations, laptops, or removable media such as jump-drives, the same controls apply – HIPAA, PCI, PHI, and PII information must be protected. Limiting access to the information and encrypting it are two requirements. Access to the information must be limited to those who are authorized to view or process the information as part of their official university duties. Apple and PC workstations support full disk encryption. Full-disk encryption is recommended. Although storing information on a removable device like a jump-drive or external storage disk is not recommended, it's sometimes unavoidable. In that case, the information or the device should be protected by limiting physical and logical (to whom the information is shared electronically) access to the device and encrypting the information. 

Regardless of the storage mechanism, the information must always be protected. It is EVERYONE's responsibility to take steps to ensure that sensitive information doesn't fall into the wrong hands.