Policy for Google Shared Drives

Purpose

  • To ensure that University data is well managed, and not lost when people leave the University.
    • Once a Drive isn't shared with anyone it is impossible to tell who owned the Drive once 180 days has passed since the last activity on the Drive.
  • To ensure that we make good use of the limited amount of Google storage that we have.
    • All Shared Drives created under our account count towards our storage, and are part of our domain, even if they are "transferred" to a personal account by making a personal account the manager.
  • To minimise the retention of data beyond its retention period, particularly personal data. All data in Google may be discoverable by FoI, SAR, law enforcement or legal processes.
  • To minimise the need for IT personnel to look through files, both to reduce any privacy impact and use of staff time.

Scope

  • All Google shared drives within the york.ac.uk domain, whether created by staff, students or associates.

Policy

1. All Google Shared drives must have a minimum of one manager with a york.ac.uk address. Two is preferred for continuity, but it is recognised that some drives are for the use of one person at a time.

a. You should ensure that another york.ac.uk account has manager status before removing yourself.
b. When leaving the University you should check all shared drives where you are a manager to ensure that there is a second manager, or delete the drive if it is no longer required.
c. When leaving the University you must not share drives with a personal account – move any personal files that you need to keep off the york.ac.uk domain. Data that is internal, confidential or secret must not be transferred. 

2. Where a Google Shared drive is inaccessible because nobody at all has access that drive will be deleted 13 months from last access.

3. Where a Google Shared drive has no york.ac.uk manager the people with access will be contacted by email:

a. If an appropriate University manager can be identified, they will be given manager access, bringing the drive into compliance.
b. Otherwise they will be asked to confirm that no University data is held, if it is this must be moved or deleted immediately.
c. They will be given 30 days to transfer anything personal from the drive.
d. The drive will then be deleted.

4. Shared Drives should not be used for the storage of large amounts of data where there is no benefit to that data being in Google. We fully endorse the use of Google for collaboration, particularly using Google native formats, but it is not an appropriate place for long term storage or archiving of significant amounts of data.

Monitoring and review

Policy to be reviewed every three years, or on change to the operating environment or Google's policies/charging model.

Version 1, approved by Information Security Board on 13 November 2024.