Sensitive Identifiable Human Subject Research

Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.”

“Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security number, health care record).

Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.

Frequently Used by: 
Faculty
Staff
Students
Researchers
Category: 
Sensitive
Examples: 

Sensitive identifiable information may include research data referring to

  • Illegal behaviors
  • Drug or alcohol abuse
  • Sexual behavior
  • Mental health or other sensitive health or genetic information

Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered sensitive.

Andrew File System (AFS): 
Not Permitted
Blue Jeans Video Conferencing: 
Permitted
Canvas: 
Permitted
Cloud Storage Included with Software: 
Not Permitted
CTools: 
Permitted
Data Warehouse: 
Permitted
Desktop Backup (Powered by CrashPlan): 
Permitted
Desktop Virtualization (VDI): 
Permitted
Digital Signage: 
Not Permitted
Echo360 - Lecture Capture and LectureTools: 
Not Permitted
eResearch: 
Not Permitted
Flux: 
Permitted
Globus: 
Permitted
ITS Exchange Email and Calendar: 
Permitted
M Cloud - Amazon Web Services GovCloud: 
Permitted
M Cloud Amazon Web Services (AWS): 
Permitted
Box Additional Apps (Non-Core): 
Not Permitted
Box at U-M Core Apps: 
Permitted
Google Additional Services (Non-Core): 
Not Permitted
Google Drive at U-M: 
Permitted
Google Mail and Calendar at U-M and Inbox by GMail: 
Not Permitted
Google Sites, Talk/Hangouts, Groups, Tasks, Classroom at U-M: 
Not Permitted
MiDatabase: 
Permitted
MiServer: 
Permitted
MiShare: 
Permitted
MiStorage (for Some Sensitive Data) with CIFS: 
Permitted
MiStorage with NFS: 
Not Permitted
MiVideo: 
Permitted
MiWorkspace: 
Permitted
Personal Accounts (Dropbox, OneDrive, iCloud, etc.): 
Not Permitted
Personally Owned Devices (phone, tablet, laptop, etc.): 
Permitted
Qualtrics: 
Permitted
ServiceLink: 
Permitted
Statistics and Computation Service: 
Not Permitted
MiBackup: 
Permitted
Turbo Research Storage with NFS: 
Not Permitted
Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos or CIFS: 
Permitted
UMHS Exchange/Outlook Email and Calendar: 
Permitted
Virtualization as a Service (VaaS): 
Permitted
Armis: 
Permitted
Imaging Services: 
Permitted

Don't see the service you need? Contact the ITS Service Center.