Defra Logo Defra Logo

AI Tools for Defra Pilot Teams

AI tools guidance for Defra pilot teams, covering data usage, privacy settings, auditing, logging, and compliance requirements.

Google Gemini - Detailed Guide

(Generated by AI, ChatGPT Deep Research, on June 23rd 2025)

What Google Gemini does

Google Gemini is an AI chat assistant you access through a web browser or mobile app. It answers questions, helps write content, and connects with other Google services to help with work tasks.

Key features:

  • Answers questions and explains topics
  • Writes and edits documents
  • Analyses and summarises content
  • Creates images and presentations
  • Integrates with Gmail, Drive, and other Google apps
  • Offers voice conversations (“Gemini Live”)

How to access it: Sign in with a Google Account at gemini.google.com or use the mobile app.

Two versions available:

  • Free version: For personal use with basic features
  • Enterprise version: For organisations through Google Workspace

Control your privacy settings

Free version privacy

Default behaviour:

  • Saves your chat history for 18 months
  • May use your conversations to improve the AI
  • Human reviewers might read your chats to train the system

Take control:

  1. Turn off chat history: Go to My Activity settings and disable “Gemini Apps Activity”
  2. Change retention period: Choose 3, 18, or 36 months in your Google Account settings
  3. Delete conversations: Remove individual chats or your entire history anytime

Important: Even with history off, Google keeps conversations for 72 hours to process feedback and maintain service quality.

Enterprise version privacy

Better privacy protections:

  • Your chats are not used to train Google’s AI
  • No human reviewers read your conversations
  • Data stays within your organisation’s Google Workspace
  • Follows the same security rules as Gmail and Google Drive

Administrator controls:

  • IT teams can turn Gemini on or off for different users
  • Chat data inherits your organisation’s data protection policies
  • Retention settings will be configurable by administrators (coming soon)

Protect sensitive information

Never enter:

  • Classified or confidential data
  • Personal information of citizens
  • Security credentials or passwords
  • Commercially sensitive information

Why: On the free version, human reviewers may see your conversations.

Free version terms

Using Gemini with a personal Google Account means:

  • Google’s standard Terms of Service apply
  • Google Ireland Limited provides the service in Europe
  • Your conversations may be used to improve Google’s services
  • You must follow Google’s AI usage policies (no illegal or harmful content)

Enterprise version terms

Using Gemini through Google Workspace means:

  • Your organisation’s Google Workspace agreement applies
  • Google acts as a data processor (you control how data is used)
  • Your conversations are not used to train Google’s AI
  • Same legal protections as other Google Workspace services
  • GDPR compliance through existing data processing agreements

Important documents to review:

  • Google Terms of Service
  • Gemini Apps Privacy Notice
  • Google Workspace Terms (for enterprise users)
  • Generative AI Prohibited Use Policy

Understand data storage

Where your data goes

Processing location: Google’s global data centres worldwide

Important: Google does not guarantee your data stays in any specific country during AI processing. This means:

  • Data may be processed outside the UK or EU
  • Processing happens wherever Google has available capacity
  • Standard encryption and legal protections apply to international transfers

Enterprise data residency

Limited regional control:

  • AI processing happens globally regardless of settings
  • Saved documents can be stored in your chosen region (UK/EU)
  • Chat history location follows global processing rules
  • Google Ireland manages European users’ data

For UK government use: Treat any input to Gemini as potentially leaving UK jurisdiction during processing.

Data security measures

Data in transit: All communications use HTTPS/TLS encryption

Data at rest:

  • All stored content is encrypted on Google’s servers
  • Enterprise data gets the same protection as Gmail and Google Drive
  • Consumer data is logically separated by account

Client-side encryption: Not compatible with Gemini - the AI cannot read customer-encrypted content

How long data is kept

Free version:

  • Chat history: 18 months by default (you can change this to 3-36 months)
  • Deleted conversations: Removed immediately from your account
  • Human review data: Up to 3 years if selected for training (anonymised)

Enterprise version:

  • Chat history: Currently 18 months default
  • Administrator controls: Coming soon for custom retention periods
  • Training data: Your conversations are never used for this purpose

Temporary storage: Google keeps recent chats for 72 hours to maintain service quality

Track usage and activities

Available audit logs

Current capabilities:

  • Track when Gemini accesses your Google Drive files
  • See which users triggered AI actions
  • View timestamps and file access details
  • Export logs through Google Workspace admin tools

What gets logged:

  • File access events when Gemini reads documents
  • User who made the request
  • Time and date of access
  • Which files were involved

What is not logged:

  • The actual questions users asked
  • Gemini’s responses
  • General chat conversations (without file access)

How to access logs

For administrators:

  1. Go to Google Workspace Admin Console
  2. Use the Investigation tool
  3. Look for “Gemini content access” events
  4. Export via Workspace Audit API if needed

Future logging capabilities

Google plans to expand audit logging to cover:

  • Gmail integration activities
  • Other Google Workspace app interactions
  • More detailed usage tracking

Current limitation: Simple chat conversations without file access are not audited.

Control user access

User authentication

How users get access:

  • Sign in with Google Account credentials
  • Enterprise users need Google Workspace accounts
  • Same security features apply (two-factor authentication, etc.)

Administrator controls

Enterprise access management:

  • Turn Gemini on or off for specific users or groups
  • Control which Google Workspace licences include Gemini
  • Set age restrictions (users must be 18 or older)
  • Manage integration with other Google services

Workspace Extensions control:

  • Allow or block Gemini’s access to Gmail, Drive, etc.
  • Users can also individually control these connections
  • Administrators can disable extensions entirely

User permissions

Within Gemini:

  • All authorised users have the same capabilities
  • No role-based restrictions once inside the chat
  • Access control happens at the login level

Integration permissions:

  • Users must consent to let Gemini access their files
  • Permissions can be granted or revoked anytime
  • Administrators can override user permissions

Account security

Automatic security features:

  • Inherits all Google Account security policies
  • Session management tied to Google Account timeouts
  • Account disabling removes Gemini access immediately
  • No separate authentication system to manage

Check compliance requirements

Security certifications

Google Gemini has achieved these formal certifications:

Information security:

  • ISO 27001 - Information security management
  • ISO 27701 - Privacy information management
  • ISO 27017 - Cloud security guidelines
  • ISO 27018 - Cloud privacy protection

AI-specific certification:

  • ISO 42001 - AI management systems (first AI chat service to achieve this)

Operational security:

  • SOC 1, 2, and 3 - Service organisation controls
  • ISO 9001 - Quality management systems

Government security:

  • FedRAMP High - US government cloud security standard

Data protection compliance

GDPR compliance:

  • Data Processing Addendum covers enterprise users
  • Google acts as data processor, you control data
  • User rights supported (access, deletion, objection)
  • Data Protection Impact Assessment resources available

Sector-specific compliance:

  • HIPAA - Healthcare data protection (with Business Associate Agreement)
  • COPPA/FERPA - Educational privacy protection
  • EU AI Act - Preparing for upcoming AI regulations

UK government considerations

Strengths:

  • Comprehensive international security certifications
  • GDPR compliance mechanisms in place
  • Enterprise-grade security controls
  • Transparent data handling practices

Considerations:

  • No guarantee of UK-only data processing
  • No specific UK government certifications yet
  • May require Data Protection Impact Assessment
  • Not yet in UK government procurement frameworks (G-Cloud, etc.)

Before you start using Gemini

Get approval first

  1. IT security review - Have your security team assess the service
  2. Legal review - Check against your data handling policies
  3. Data classification - Ensure appropriate use for data sensitivity levels
  4. Privacy impact assessment - Complete DPIA if handling personal data

Choose the right version

Use enterprise version if:

  • Handling any work-related content
  • Need audit trails and administrator controls
  • Require GDPR compliance assurances
  • Want data processing agreements

Avoid free version for:

  • Any government work
  • Personal data processing
  • Confidential information
  • Official business use

Set up securely

For administrators:

  1. Configure user access through Google Workspace Admin Console
  2. Set appropriate retention policies when available
  3. Enable audit logging for compliance tracking
  4. Configure Workspace Extensions based on security needs
  5. Train users on appropriate use policies

For users:

  1. Sign in with official Google Workspace account
  2. Understand what data Gemini can access
  3. Review and configure integration permissions
  4. Never input sensitive or classified information

Create usage guidelines

Appropriate uses:

  • Drafting non-sensitive documents
  • Research and information gathering
  • Creative brainstorming
  • Code explanation and learning
  • Data summarisation (non-confidential)

Prohibited uses:

  • Processing classified information
  • Handling personal data without proper controls
  • Making decisions on sensitive matters
  • Replacing human judgment on critical issues
  • Storing passwords or security credentials

Getting help and support

Official resources

Google documentation:

UK government guidance:

Training and support

Key training topics:

  • Understanding AI limitations and biases
  • Recognising when not to use AI assistance
  • Data protection considerations
  • Effective prompt writing
  • Reviewing AI-generated content

Reporting issues

For technical problems:

  • Use Google Workspace support channels for enterprise users
  • Submit feedback through the Gemini interface

For security concerns:

  • Contact your organisation’s IT security team
  • Report data breaches following your incident response procedures

Next steps

  1. Start with a pilot - Test with a small group using non-sensitive content
  2. Gather feedback - Collect user experiences and security observations
  3. Review audit logs - Monitor usage patterns and access events
  4. Update policies - Refine usage guidelines based on experience
  5. Scale carefully - Expand access gradually with appropriate controls

Key decision: Choose enterprise version for all government use to ensure proper data protection and compliance controls.

Remember: AI is a tool to assist human judgment, not replace it. Always review and verify AI-generated content before using it in official contexts.

Support links

All content is available under the Open Government Licence v3.0, except where otherwise stated