Revoking third-party access into University Google accounts
IT Services are taking measures to enhance our information security and data privacy by reviewing third-party access to University of York Google accounts.
As part of this work we are currently undertaking a review of all third-party services which have been integrated into University Google accounts using high-risk permissions, i.e. those that have been granted access to read/write/delete in Google Drive, Gmail or Calendar. The majority of these services are not considered to be core IT services or tooling and are exposing University information to third parties without the required protections. IT Services are therefore undertaking a process to remove these high-risk third-party services over the next six months.
For services which are widely used across the University or where the impact is felt to be more significant, users will be notified in advance of them being removed. Whilst this is a rolling programme of work best efforts will be made to minimise disruption for staff and students. Internally developed services should not be impacted.
What if I need to continue to use a service using high-risk permissions?
We understand that some of the services and applications which will be removed may be useful for your work or study. For support with finding alternative digital tools, please contact the Digital Skills and Creativity (DISC) team via IT Services.
Core applications and services which require integration into Google, such as Zoom and Slack, will be approved where they have been centrally procured, appropriate due diligence has been undertaken, and vendors are bound under contract with the University. In instances where assistive technologies are using high-risk permissions, we will work to ensure adequate protections exist or to identify alternatives that meet the needs of staff and students.
If you wish to integrate services into University Google accounts moving forward, you will need to evidence the above. The University's Cloud Computing Policy details the procedure for introducing new software into the University. This policy seeks to ensure that software and cloud services provide adequate technical controls to protect University information and that vendors are contractually obligated to maintain safeguards and meet the requirements of UK Data Protection Law. Due to the time required to undertake appropriate due diligence, we are unable to perform this for niche requirements or where there is limited demand.
We appreciate that this change may cause some inconvenience but it is a necessary step to keep the University’s information secure. For any questions or further clarification, please contact IT Services.