Responsible Office: Information Security

Boston University and Google have agreed to certain security standards for the data stored and maintained in the BU Google Apps suite of services. As a result, you may use a BU Google Apps account as a BU staff member, faculty member or student, provided that you do so according to University and IS&T policies, including restrictions for use and storage of certain types of sensitive data, and the requirements of your school, department or unit.


By using BU Google Apps, you consent to Boston University, as the domain administrator, accessing, monitoring, using or disclosing data available within your Google account in accordance with relevant university policies, and to Google providing Boston University with the ability to do so.

Any document deleted from Google Apps cannot be restored by Google or Boston University; BU does not maintain a backup. Data that is important to the operations of the University should be stored and backed up locally rather than stored in Google Apps. IS&T offers a Desktop Backup & Restore service to Faculty, Researchers, Staff, or Departments for backing up key University documents stored on University owned desktop and notebook computers.

There are some kinds of information that BU Google Apps should not be used to store, maintain, or transmit. Below, you will find a brief description of several kinds of particularly sensitive information and the restrictions on its storage, maintenance or transmission using Google Apps.

  • Health Insurance Portability and Accountability Act (HIPAA) and Protected Health Information (PHI)

BU Google Apps should not be used to store, maintain or transmit Protected Health Information (PHI), as defined under the Health Insurance Portability and Accountability Act (HIPAA). PHI should be stored only on systems approved for such use by IS&T. De-identified PHI (PHI stripped of all 18 identifiers specified under HIPAA) may be used with BU Google Apps, but only as permitted by the relevant data use agreement or IRB protocol.

If you must share PHI by email, use BU’s OneDrive, SharePoint, or secure email service (DataMotion) instead.

For more information regarding HIPAA or PHI please refer to Hipaa policiesor contact BU Information Security at

  • Export Controlled Information

BU Google Apps should not be used to store, maintain or transmit export-controlled information. For additional information about export controls, review the export control materials on the Office of Research website at Export here.

  • Social Security Numbers, Driver’s License Numbers, Financial Account/Credit Card Numbers

These are examples of data types that are classified by BU as Restricted Use.  BU Google Apps should not be used to store, use or transmit the above kinds of sensitive information. This type of data is protected by Massachusetts General Law Chapter 93H (the Massachusetts Identity Theft Law) and Regulation 201 CMR 17 (Standards for the Protection of Personal Information of Residents of the Commonwealth). Such data should be stored only on systems approved for such use by IS&T.

For more information regarding these requirements, contact BU Information Security at

Intellectual Property Rights and Participation of External Users

Google Apps permits users to invite other Google Apps users, both within the University and outside the University, to view data, co-edit documents, and use other collaboration tools. You are responsible for controlling access to data appropriately to protect Boston University intellectual property stored, used or transmitted in BU Google Apps.

Google Policies

For an explanation of Google’s privacy and security policies, please see this page, and
G Suite Security and Privacy for Administrators page.

This goes to main compliance site.  Should it go directly to export guidance here: