2. P ERSONAL DATA AND DATA SUBJECTS
2.5 T YPES OF PERSONAL DATA AND DATA SUBJECTS
2.5.1 Categories of personal data
Generally speaking, end-users can process all kinds of personal data with G Suite (Enterprise) for Education. The different services can be used for many different purposes by many different schools and universities. As the categories of personal data and data subjects in Customer Data and Support Data are dependent on the data that the customer and its end-users provide to Google, this section focusses on the data that are collected by Google through the use of the services (Diagnostic Data).
Absent a comprehensive documentation and publicly available policy rules governing the types of data that can be stored by Google as Diagnostic Data, it is prudent to assume that the G Suite Diagnostic Data may include all categories of personal data. Some types of data require extra attention due to their sensitive nature.
Personal data of a sensitive nature
Some personal data have to be processed with extra care, due to their sensitive nature. Examples of such sensitive data are financial data, traffic and location data. Both the contents of communication as well as the metadata (Diagnostic Data) about who communicates with whom, are of a similar sensitive nature. The contents of communication are specifically protected as a fundamental right, but metadata (Diagnostic Data) deserve a high level of protection as well. This will be explained in more detail in Section 16 of this report.
The sensitivity is related to the level of risk for the data subjects if the confidentiality of such data is breached. The effect of a breach of personal data of a sensitive nature may pose a greater risk for the
149 Google email reply of 17 February 2020 .
It is likely that many university employees will process personal data of a sensitive nature with the different products and services included in G Suite (Enterprise) for Education. For example, employees from the finance or HR departments can send or receive emails with sensitive financial data.
Personal data of a sensitive nature can be included in snippets of content of files that are provided to Google as Customer Data (such as the line preceding and following a word) in the telemetry data, as shown in Figure 16. However, such snippets may also be included in system generated event logs about the use of the Additional Services such as Google Groups, Classroom, Photos or as keywords in Google Alerts. Path and filenames are included, as shown in the Drive audit log, in Diagnostic Data about the opening or saving of files in Drive or headers of mails in Gmail.
Special categories of personal data
Special categories of personal data are strongly protected by the GDPR. According to Article 9 (1) GDPR, special categories of data consist of any:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.
With special categories of data, the principle is one of prohibition: these data may in principle not be processed. However, the GDPR contains specific exceptions to this rule. Special categories of personal data may be processed for instance when the data subject has explicitly consented to the processing, or when data are made public by the data subject, or when processing is necessary for the data subject to exercise legal claims.150
At both AUAS and UG, several faculties work with different research platforms that may contain data relating to for example health or religion. For instance, researchers at the faculties of behavioural sciences or theology may work on research projects in relation to ethnic minorities or certain individuals with strong religious beliefs. If such personal data would be accessed without authorisation, for example by a data breach, that could have disastrous consequences for the research subjects. This could even result in the detention or criminal prosecution of refugees once they return to their country of birth.
Aside from special categories of data (see below), universities can also process confidential information. The Dutch government defines 4 classes of Classified Information, ranging from
150 These specific exceptions lifting the ban on the processing are listed in Article 9(2) under a, e and f of the GDPR.
confidential within the ministry to extra secret state secret.151 SURF publishes an overview with a BIV-classification for 25 types of data processing that frequently occur in universities .152
Confidential or classified information is not a separate category of data in the GDPR or other legislation concerning personal data. However, information processed by students or employees that is qualified as confidential information, whether or not it qualifies as personal data, must be protected by special safeguards. The processing of this information can also have a privacy impact when related to an individual. If the personal data of an employee, such as a Google G Suite (education) account ID, or unique device identifier, can be connected to the information that this person works with confidential information, the impact on the private life of this employee may be higher than if that person would only process ‘regular’ personal data. Unauthorised use of this information could for example lead to a higher risk of being targeted for social engineering, spear phishing and/or blackmailing.
If universities use Drive or Gmail, they have to be aware that the information stored on Google’s cloud servers may include confidential or sensitive information from and about university employees, including information which employees regularly access, send or receive such confidential data.
Google acknowledges that there may be spill-over from a student’s or employee’s ‘private’ Google Account to his Education Google Account.
“When you’re signed in with more than 1 Google Account at the same time, ads may be based on ad settings for your default account. Your default account is usually the account you signed in with first.” 153 After completion of this DPIA, Google provided new information about ways admins can prevent such spill-over. This information has been added to Sections 3.2.1 and 3.2.5 of this report. Also see the new table with residual high risks in Section 17.4 of this updated DPIA.
2.5.2 Data Subjects
The different kinds of data subjects that may be affected by the diagnostic data processing, can be distinguished in the following groups, namely: employees, students, contact persons and
miscellaneous other data subjects, such as for example job applicants or research subjects.
At the UG, names and other personal information of employees can be processed through Gmail, Google Calendar and Google Drive. Apart from the information that employees create themselves, employees can also be data subjects in information generated by others. For instance, if an
employee invites colleagues to share files in Google Drive, or invites colleagues to a meeting via Google Calendar.
At the AUAS there is no central policy or architecture to use the G Suite services. Different from the UG, the use of G Suite is not mandatory. However, some faculties use the G Suite services
structurally to collaborate. Examples of services frequently used by employees in these faculties are: Docs, Drive, Forms, Maps, Gmail, Calendar and YouTube. Employee personal data can be processed in management information for MT meetings, in curriculum information when employees collaborate on the creation of educational materials and in lists with teacher data (education evaluations, incidentally private data of employees). Incidentally employees may
151 Amongst others, the categories of classified information are defined in the Voorschrift Informatiebeveiliging Rijksdienst – Bijzondere Informatie (VIR-BI).
152 SURFnet, BIV-classificatie veel voorkomende verwerkingen, URL:
https://www.surf.nl/files/2019-01/201505---biv-classificatie-veel-voorkomende-verwerkingen.pdf . BIV stands for Beschikbaarheid, Integriteit en Vertrouwelijkheid (Availability, Integrity and Confidentiality).
process special categories or protected types of personal data, such as data about health related absences, or copies of passports.
Besides employees, students also use the G Suite services, with Gmail and Google Drive as the two most important applications. Apart from the information generated by the students themselves, students are also data subjects in information generated by employees. For instance, at the UG teachers process the grades of their students, including the student name, student number and other personal information in Google Sheets. They send those files via Gmail to the central student administration office. The staff of the central student administration at the UG processes a copy of the passport and health data from international students, such as exchange students via Gmail and Google Forms.
At the AUAS student personal data can be mentioned in attendance list, lists of marks, education evaluations, incidentally also self-written work, such as draft versions of a paper. Different from the UG, the use of G Suite is not mandatory for students either.
Students may belong to an extra vulnerable group if they are still minor when they apply for, or start their study.
Information processed with the G Suite applications is often shared internally and externally.
Customer Data and Diagnostic Data may contain information about contact persons who are not employees of the university. Examples are employees of other universities and third party vendors.
Diagnostic Data may include the sender’s name and email address, as well as the time when an email was sent or received.
Miscellaneous other data subjects
Besides employees and students, there is a third group of individuals whose personal data may be processed by the use of the G Suite software. For example, personal data from potential new employees can be processed when their information is entered into Google Calendar, sometimes with their curriculum vitae and other relevant documents with their personal information.
Another type of third party natural persons may figure as data subjects in several research projects by researchers working at the AUAS or UG. As explained above, some of the personal information processed in such research projects may be very sensitive, or contain special categories of data.
Such personal data could also occur in snippets of content included in the Diagnostic Data generated by the use of G Suite (Enterprise) for Education. Diagnostic Data could also include information about the communications pattern with people outside of the universities, such as lawyers and other advisors. Other examples involve people whose information is forwarded, but who are not directly in touch with the university themselves.
In sum, there are no limits to the categories of data subjects whose data may be processed in Customer Data and Diagnostic Data under normal use conditions by employees and students of the two universities.