Sensitive Identifiable Human Subject Research

Data Type Description 

Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.”

“Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security number, health care record).

Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.

Data Steward: U-M Research Ethics and Compliance, Human Research Protection Program (HRPP): hrrpumich@umich.edu

Examples 

Sensitive identifiable information may include research data referring to

  • Illegal behaviors
  • Drug or alcohol abuse
  • Sexual behavior
  • Mental health or other sensitive health or genetic information

Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered sensitive.

Andrew File System (AFS): 
Not Permitted
BlueJeans Video Conferencing: 
Permitted
Canvas: 
Permitted
Cloud Storage Included with Software: 
Not Permitted
CTools: 
Permitted
Data Warehouse: 
Permitted
Desktop Backup (Powered by CrashPlan): 
Permitted
MiDesktop: 
Permitted
Digital Signage: 
Not Permitted
Echo360 - Lecture Capture and LectureTools: 
Not Permitted
eResearch: 
Not Permitted
Flux: 
Permitted
Globus: 
Not Permitted
ITS Exchange Email and Calendar: 
Permitted
Amazon Web Services GovCloud at U-M: 
Permitted
Amazon Web Services (AWS) at U-M: 
Permitted
Box Additional Apps (Non-Core): 
Not Permitted
Box at U-M Core Apps: 
Permitted
Google Non-Core Services: 
Not Permitted
Google Drive at U-M: 
Permitted
Google Mail and Calendar at U-M and Inbox by GMail: 
Not Permitted
Google at U-M Core Services: 
Not Permitted
MiDatabase: 
Permitted
MiServer: 
Permitted
MiShare: 
Permitted
MiStorage (CIFS): 
Permitted
MiStorage (NFS): 
Not Permitted
MiVideo: 
Permitted
MiWorkspace: 
Permitted
Personal Accounts (Dropbox, Slack, etc.): 
Not Permitted
Personally Owned Devices (phone, tablet, laptop, etc.): 
Permitted
Qualtrics: 
Permitted
ServiceNow: 
Permitted
Statistics and Computation Service: 
Not Permitted
MiBackup: 
Permitted
Turbo Research Storage (NFS): 
Not Permitted
Turbo Research Storage (NFSv4+Kerberos or CIFS): 
Permitted
Michigan Medicine Exchange/Outlook Email and Calendar: 
Permitted
Armis: 
Permitted
Document Imaging System: 
Permitted
SignNow at U-M (E-Signature): 
Permitted
Piazza Q&A: 
Not Permitted
Dedoose: 
Permitted
Gradescope: 
Not Permitted
Electronic Research Notebook at U-M: 
Permitted
Microsoft Azure at U-M: 
Permitted
Google Cloud Platform at U-M: 
Permitted
Perusall: 
Not Permitted
Yottabyte Research Cloud: 
Permitted