Sensitive Identifiable Human Subject Research

Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.”

“Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security number, health care record).

Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.

Frequently Used by: 

Faculty
Staff
Students
Researchers

Category: 

Sensitive

Examples: 

Sensitive identifiable information may include research data referring to

  • Illegal behaviors
  • Drug or alcohol abuse
  • Sexual behavior
  • Mental health or other sensitive health or genetic information

Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered sensitive.

Andrew File System (AFS): 

Not Permitted

Blue Jeans Video Conferencing: 

Permitted

Canvas: 

Permitted

Cloud Storage Included with Software: 

Not Permitted

CTools: 

Permitted

Data Warehouse: 

Permitted

Desktop Backup (Powered by CrashPlan): 

Permitted

Desktop Virtualization (VDI): 

Permitted

Digital Signage: 

Not Permitted

Echo360 - Lecture Capture and LectureTools: 

Not Permitted

eResearch: 

Not Permitted

Flux: 

Permitted

Globus: 

Permitted

ITS Exchange Email and Calendar: 

Permitted

M Cloud - Amazon Web Services GovCloud: 

Permitted

M Cloud Amazon Web Services (AWS): 

Permitted

Box Additional Apps (Non-Core): 

Not Permitted

Box at U-M Core Apps: 

Permitted

Google Additional Services (Non-Core): 

Not Permitted

Google Drive at U-M: 

Permitted

Google Mail and Calendar at U-M: 

Not Permitted

Google Sites, Talk/Hangouts, Groups, Tasks, Classroom at U-M: 

Not Permitted

MiDatabase: 

Permitted

MiServer: 

Permitted

MiShare: 

Permitted

MiStorage (for Some Sensitive Data) with CIFS: 

Permitted

MiStorage with NFS: 

Not Permitted

MiVideo: 

Permitted

MiWorkspace: 

Permitted

Personal Accounts (Dropbox, OneDrive, iCloud, etc.): 

Not Permitted

Personally Owned Devices (phone, tablet, laptop, etc.): 

Permitted

Qualtrics: 

Permitted

ServiceLink: 

Permitted

Sitemaker: 

Not Permitted

Statistics and Computation Service: 

Not Permitted

MiBackup: 

Permitted

Turbo Research Storage with NFS: 

Not Permitted

Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos or CIFS: 

Permitted

UMHS Exchange/Outlook Email and Calendar: 

Permitted

Virtualization as a Service (VaaS): 

Permitted

Armis: 

Permitted

Imaging Services: 

Permitted