As a member of the U-M community, you share in the responsibility for ensuring U-M complies with data protection and privacy laws, regulations, and industry standards, as well as U-M policies and standards that require security safeguards around sensitive institutional data.
You are expected to learn about compliance requirements and make use of the tools, safeguards, and information the university has put in place. You may also be responsible, depending on your role at the university, for compliance in your unit.
Lack of compliance can result in significant consequences for the university and individuals, including fines, reputational damage, and harm to individuals whose data is exposed.
Which Ones Apply to You?
All legal and regulatory compliance requirements apply regardless of whether you are using a university owned or managed device or a personally owned device to work with sensitive university data. Different laws, regulations, and compliance requirements apply to different types of sensitive university data. Familiarize yourself with those that apply to the data you work with.
- Information Security Laws and Regulations. This list includes information about the federal and state laws and regulations (including HIPAA, GLBA, FERPA, and more) that apply to a wide range of data types.
- Sensitive Data Guide to IT Services. Use this guide to make informed decisions about where to safely store and share sensitive university data.
- Information Technology Policies and Standards. U-M information technology policies appy to all users across the entire university community, including the Ann Arbor, Dearborn, and Flint campuses, and Michigan Medicine. The specific policies and standards that apply to protecting sensitive data are listed below under Applicable University Policies.
- Internal Control Annual Certification Process. Requires unit leadership to annually certify level of compliance with particular security practice or process.
How to Comply
Choose storage services that comply with relevant laws, regulations and policies; protect your devices and data; and more. These resources can help.
- Data Classification Levels. Knowing how the data you work with is classified can help you determine the minimum security requirements for protecting it.
- Protect Sensitive Data. Learn the steps you can take to safeguard the data you work with.
- Sensitive Data Guide. Make informed decisions about where to safely store and share sensitive data.
- Travel Safely With Technology. Persons traveling internationally should follow these guidelines to ensure U-M remains in compliance.
Who Can Help
- Compliance@U-M. Learn about compliance and ethics at an institutional level and how to report issues and concerns.
- Information Assurance. If you have questions about protecting sensitive university data and complying with applicable laws, policies, and regulations, contact Information Assurance (IA) via the ITS Service Center.
Applicable University Policies
The following Information Technology Policies and Standards at U-M apply to proper protection of sensitive data:
- Privacy and the Need to Monitor and Access Records (SPG 601.11)
- Institutional Data Resource Management Policy (SPG 601.12)
- Information Security Incident Reporting (SPG 601.25)
- Information Security Policy (SPG 601.27)
- Sensitive Regulated Data: Permitted and Restricted Uses (DS-06)
- eDiscovery at the University of Michigan (DM-08) (PDF)