Sensitive Data Policies and Regulatory Compliance
Federal and state laws and regulations require the university to apply certain security safeguards around various categories of sensitive institutional data or information. Industry standards, such as those that apply to credit card payments, create additional requirements.
To satisfactorily comply with these regulatory requirements, U-M must put in place and maintain reasonable and appropriate information security safeguards based on the results of periodic risk assessments. The U-M IT Security Program sets expectations for regulatory compliance to be carried out by all units as an important part of their IT security activities.
Regardless of how widely a law applies or how well known it is, every law that impacts on the activities of individuals at U-M raises obligations that U-M, as an institution, is responsible for. This means that every individual working at U-M needs to take responsibility for ensuring that U-M is complying with laws and regulations.
Staff who handle sensitive university data should use the Sensitive Data Guide to make informed decisions about where to safely store and share sensitive data using IT services available on the UM-Ann Arbor campus. In addition, persons traveling internationally should refer to Mobile Device Security When Traveling or Conducting Field Research. This will help ensure U-M remains in compliance with federal and state regulatory requirements. All legal and regulatory compliance requirements apply, whether a staff member is using a U-M owned or managed computer or a personally owned device to access or store U-M sensitive regulated data.
Lack of compliance with regulatory requirements that results from mishandling sensitive data can lead to significant consequences for U-M. Responding to data breaches or disclosures of data, whether inadvertent or not, can be very time consuming and expensive, and may include the expectation that U-M notify potentially affected individuals whose personal data is exposed.
Note: This Quick Reference Sheet is designed as a handout for staff who handle student, employee, customer, and patient information. It provides a summary of best practices for handling different categories of sensitive data as well as information regarding where to seek additional assistance.
Related U-M Information Technology Policies and Guidelines