Protect Sensitive Data

As individual custodians of the university's sensitive data, faculty, staff, and U-M workforce members are responsible for complying with

These policies apply to university owned and managed computers as well as to personally owned devices used to access sensitive university data. You are responsible for the following areas:

Expand All Content

Access Only the Data You are Authorized to Access

Don't request access unless you truly need it.

Before requesting access to systems that maintain sensitive institutional data, U-M faculty, staff, and Michigan Medicine workforce members are asked to:

  1. Complete an online course, Access and Compliance 101: Handling Sensitive Institutional Data at U-M. (U-M login required)
  2. After completing the course, they must agree to and submit online the Institutional Data Access and Compliance Agreement.
  3. Once these two steps are completed, they can submit an access request.

Remove access when no longer appropriate.

When people no longer have any affiliation to the university, they lose access to U-M standard computing services after a grace period. Departments and units are expected to initiate removal of administrative, elevated, and departmental access as part of the university's off-boarding process, whether the person leaves the university entirely or just leaves a role or job within it. For details, see

Work With Data Responsibly

Specific types of data may have special rules and/or laws for handling.

Applicable laws, regulations, or standards govern specific forms of data (e.g., health information, credit card data) may apply to the care of your sensitive data. 

For specific information, refer to:

Follow Information Security Risk Management guidelines to help protect sensitive data.

Follow the Information Security Risk Management guidelines, including the RECON risk assessment process, to reduce the risks of storing and using sensitive data.

Take extra care when traveling.

Learn how to protect sensitive data while traveling at Travel Safely With Technology.

If you use personal devices with sensitive data, you will have extra responsibilities.

If you work with sensitive institutional data from your own devices or from self-managed devices (for example, devices purchased for research purposes with grant money that are not managed by your department's IT staff), you are expected to secure and properly manage them to protect that data. For details, see: Your Responsibilities for Protecting Sensitive Data When Using Your Own Devices.

Never use personal accounts to maintain or share the university's sensitive data.

Personal accounts are those you sign up for yourself for your own use. These are different from accounts that the university makes available to you and for which it has a contract with the vendor, such as Box or Google.

See Use of Personal Accounts and Data Security for more information.

Store Data in the Appropriate Places

Learn where specific types of data can be safely stored.

The Sensitive Data Guide is an interactive tool to assist faculty, staff, and researchers in making informed decisions about where to safely store and share sensitive data using IT services available on the UM-Ann Arbor campus. It is particularly important to be careful with cloud computing resources; see also Safely Use the Cloud.

If you are working with HIPAA data, ITS offers some HIPAA-aligned services.

See how your unit and ITS can work together to ensure HIPAA standards are maintained via ITS HIPAA-Aligned Services.

If you use Box at U-M, learn how to use it securely.

Use Box Securely With Sensitive Data provides the guidelines for using the features and functionality of Box at U-M that are approved for use with sensitive data.

Properly Manage Devices Used with Sensitive Data

Follow device security rules.

Be sure the equipment you are using to interact with sensitive data is being properly secured to work with it. See Manage Your Workstation.

If you are interacting with sensitive data on a personal device, you will also need to review:

Securely dispose of media that has ever held, stored, or transmitted sensitive data.

When you are done with computers, other devices, hard drives, DVS, scanners, etc. that have interacted with sensitive data, you must take special care to dispose of them properly, since that data may still be recoverable. See Securely Dispose of Media for instructions.

Report a Breach or Compromise of Sensitive Data

Don't wait to gather evidence or resolve it yourself; report immediately if you suspect a breach.

Immediate reporting of a suspected breach:

See Report an IT Security Incident for details.

Get Help from these U-M Offices If Needed

FOIA Office

All requests for information under the Freedom of Information Act (FOIA) should be directed immediately to the university's FOIA Office.

General Counsel

U-M's Office of the General Counsel represents and advises the U-M community on legal matters.

Human Resource Records and Information Services

Human Resource Records and Information Services (HRISS) is the data steward of employment data for the university. It is responsible for developing and maintaining the university's human resource information system, maintaining faculty and staff records, providing information services to the university community and external agencies, and delivering customer support for benefits and other HR-related items. The HRRIS team is available for individual consultations with business and academic units.

Registrar

The Office of the Registrar provides help with and information about protecting student rights and records. This includes details about what information can and cannot be released. 

 

Treasurer's Office

The Treasurer's Office is responsible for Payment Card Industry (PCI) information at U-M. You must work with this office if you wish to accept credit card payments.

Michigan Medicine Compliance Office

The Michigan Medicine Compliance Office promotes compliance with all laws/regulations governing health care billing, coding, Medicare and Medicaid, patient privacy and information security, relationships and conflict of interest, and governmental investigations.