As U-M researcher, you are responsible for safeguarding information about your research, as well as university information that you may have access to. Use this Sensitive Data Guide to learn about appropriate services for storing and sharing sensitive research and other university information.

Commonly Used Data Types

Export Controlled Research (ITAR, EAR)

Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it.

Federal Information Security Management Act (FISMA) Data

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that the university uses to process or store research data need to comply with FISMA.

Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements.

Other Sensitive Institutional Data

According to university policy, data will typically be classified as sensitive if any of the following are true:

  • Unauthorized disclosure may have serious adverse effects on the university’s reputation, resources, or services or on individuals
  • It is protected under federal or state regulations.
  • There are proprietary, ethical, or privacy considerations.

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. PII should be accessed only on a strict need-to-know basis and handled and stored with care.

PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive. Note that UMID numbers by themselves are not considered sensitive or private personal information.

University policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII that is not publicly available.  These regulations apply to PII stored or transmitted via any type of media: electronic, paper, microfiche, and even verbal communication.

PII does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Protected Health Information (HIPAA)

Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the

  • Past, present, or future physical or mental health or condition of an individual.
  • Provision of health care to the individual by a covered entity (for example, hospital or doctor).
  • Past, present, or future payment for the provision of health care to the individual.

Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA. Researchers can contact the U-M Health System (UMHS) Compliance Office with questions.

Sensitive Identifiable Human Subject Research

Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.”

“Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security number, health care record).

Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.

Social Security Numbers

Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, social benefits, and other purposes. Social Security numbers are a primary target for identity thieves. They fall into the U-M category of sensitive Personally Identifiable Information (PII). U-M has not used Social Security numbers as identifiers for students and employees since 2004. 

Student Education Records (FERPA)

Records that contain information directly related to a student and that are maintained by the University of Michigan or by a person acting for the university. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records. Directory information about a student is not regulated by FERPA and can be released by the university without the student's permission. Students can request non-disclosure from the U-M Registrar's Office.