It’s easy to feel a bit adrift when you hear terms like “data processor” and “data controller” thrown around, especially when it comes to the technology our kids use every day at school. For a while now, there's been a focused effort, a collaboration between SIVON, SURF, and Google, to really nail down how managed ChromeOS and the Chrome browser handle data on Chrome devices. The goal? To ensure everything is transparent and secure, particularly for educational institutions.
Back in 2022, an agreement was struck to deliver a processor version of managed ChromeOS by August 2023. This wasn't just a minor tweak; it involved a significant shift where Google primarily acts as a data processor, though they do retain controller roles for specific, limited purposes. This agreement also paved the way for product changes within ChromeOS itself. To really get a handle on things, a privacy assessment was conducted by The Privacy Company, leading to a series of mitigation measures designed to address potential concerns.
One of the key areas that came under scrutiny was the handling of Data Subject Access Requests (DSARs). It seems there were instances where DSAR results were incomplete, and explanations for refusals weren't always clear. To tackle this, schools are being advised to continue blocking access to the Chrome Web Store and Google Play Store, and to guide students on how to formally request access to their data through the school and then with Google. Google, in turn, has committed to individual assessments for each DSAR and is stepping up as a processor for both admin and end-user TakeOut tools. This means that with the new version of managed ChromeOS, expected by the end of August 2023, features like the Service Data Downloader and Domain-wide TakeOut will be available. These tools are designed to help schools, acting as data controllers, fulfill DSAR requests more effectively. The Service Data Downloader will handle user-email or device serial number-keyed Service Data, while the Domain-wide TakeOut will manage user-email keyed Customer Personal Data from Chrome/OS services where Google acts as a processor.
Another point of discussion revolved around the limitation of data purposes. To address this, schools are encouraged to keep Workspace Additional Services disabled and to leverage admin event logs for providing access to personal data. Google has also been busy publishing more information about its data retention policies and will offer that Service Data Downloader tool to admins. The new ChromeOS version will include services like the Diagnostic Information Tool (DIT), a telemetry data viewer, to help admins access and understand the data collected.
Interestingly, Chrome Sync, a core service for EDU accounts, is already covered by existing Workspace agreements. Google has confirmed that Chrome Sync will be an Essential Service under the new Chrome ToS, and its data will be included in the Service Data Downloader. While Google Play user content and customer data are integrated with TakeOut for DSAR purposes, Play itself doesn't plan to become a data processor or integrate with the Service Data Downloader.
Ultimately, the aim of these ongoing improvements and agreements is to provide educational institutions with greater clarity and control over how student data is handled within the ChromeOS ecosystem. It’s a complex landscape, but the commitment to transparency and enhanced tooling is a positive step forward for everyone involved.
