The Box, the Drive, and the Blindspot
Ten or so years ago, I found myself inside a quiet contradiction. I was leading records and information governance efforts for a private K–12 school within a major university. The university’s central IT had approved Box for storing personally identifiable information (PII), and had ruled that Google Drive was not suitable for such use. However, it was permitted to store "academic information." That distinction struck me as illogical.
You can’t manage academic information (grades, transcripts, course schedules, recommendation letters) without including PII. The very nature of the academic record is personal. Trying to separate the two categories in practice was like insisting water was allowed in the pool but not wetness.
But the trouble didn’t stop there. Our division operated independently, with much of its own IT infrastructure. We served faculty and staff who demanded high-end Apple hardware and expected ease of use across their digital tools. Our tech budget leaned heavily toward devices, not enterprise software. We had access to Google Workplace for Education, then a free service, and we didn’t have direct access to Box in a way that integrated smoothly into our environment. Technically, we had Box as university employees, but in practice, nobody used it. The authentication layers, permissions, and folder structures required to make it functional across systems weren’t aligned.
So we used Google Drive.
I was aware of the policy landscape. I knew Box was the certified system for PII. I also knew that using Google Drive for any information that might contain sensitive data was not advised. But I reasoned that if we were careful -- if we stored only student-facing academic information, and avoided the inclusion of direct identifiers -- we could navigate that narrow channel. And that might have held, if the landscape hadn’t shifted.
Fast-forward to today. Google now OCRs all documents stored in Drive. That once-static PDF scan from 2014? It’s now searchable. That unlabeled identifier tucked in the corner of an old transcript? Now potentially flagged. In at least one case, a set of records we uploaded years ago to a completely private file server, subsequently transfered onto Drive, was found to contain Social Security Numbers -- not labeled, but valid by structure and context.
We didn’t know it then, but we were laying down a minefield that modern technology could now detect.
It wasn’t neglect. It was the consequence of trying to govern a fragmented system with no shared infrastructure, no budgetary backing, and no institutional muscle to support enforcement. I wasn’t a compliance officer. I didn’t have a team. I was a person doing the best I could inside a culture that prized flexibility and autonomy over standardization.
And here’s what I’ve come to understand:
You can’t govern alone.
Information governance only works when it’s aligned across tools, policy, culture, and authority. If even one of those elements is out of sync, governance becomes a personal burden rather than an organizational function. The moment a single person is responsible for both identifying the risks and swimming upstream against them, something will slip. Maybe not today. Maybe not tomorrow. But eventually.
This isn’t a story about blame. It’s a story about structure.
I’ve learned a lot since then. I’ve learned to push for cross-functional buy-in, to elevate data decisions to the leadership level, and to treat technology drift as an active threat to governance strategy. Most of all, I’ve learned that the true cost of “just make it work” is only visible in hindsight.