Data Protection and Google Calendar

Cambridge University gave a report at Networkshop on their work with Google to make outsourcing of staff and student calendars compliant with UK data protection law. This was achieved through a combination of individual contract terms, obtaining assurances about Google’s security processes, and design of the local Cambridge infrastructure.

Cambridge’s contract includes a definition of personal data (the EU definition differs from that in the USA); explicitly limits Google’s processing of data to only that necessary to provide the services; and removes Google’s right to read e-mails to the abuse@ and postmaster@ addresses in the outsourced domain (this may be reasonable for an organisation outsourcing e-mail, but not where only calendar and contacts are outsourced). Google are registered under the US Safe Harbor scheme, and provided the same rules and processes are applied by them to data centres in other countries (regulated by the Safe Harbor "Onward Transfer" provisions) this seems to satisfy the EU requirements on exporting personal data. Finally Cambridge only provision a calendar account on Google when the user first attempts to access it, so the user can be informed of how (and where) their personal data will be processed before the first information is exported. Along with publishing the contract they have with Google, this has reassured those users who were concerned at their data being outsourced.