U-M recognizes that those who work on its behalf may need to access or maintain sensitive university data from their personally owned devices (smartphones, tablets, laptops, and more*) and provides guidance for this use in Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33).
If your department or unit permits you to work with sensitive institutional data from:
- Your own devices
- Self-managed devices (for example, devices purchased for research purposes with grant money that are not managed by your department's IT staff)
you are expected to protect the data by securing and properly managing these devices according to Your Responsibilities for Protecting Sensitive Data When Using Your Own Devices.
Departments/units have the discretionary authority to decide whether to allow personally owned and self-managed devices to be used with sensitive data for those in their department. They may also choose to adopt additional expectations and restrictions beyond those outlined in SPG 601.33. If a department/unit elects to allow such practice, they must review their implementation of the policy on a regular basis, using Toolkit: Reviewing Your Department/Unit Implementation of SPG 601.33.
Related Policies and Standards
- Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33)
- Unit-Specific Expectations for Self-Management of Personally Owned Devices that Access Sensitive Institutional Data (DS-07)
- Responsible Use of Information Resources (SPG 601.07)
- Privacy and the Need to Monitor and Access Records (SPG 601.11)
- Guidelines for eDiscovery (PDF)
*Personally owned devices include personal computers, laptops, smartphones, tablets, media players, and removable media such as USB flash drives, external disk drives, DVDs, or any optical storage media that can be readily transferred from one electronic device to another. They also include devices for which U-M provides a partial subsidy or stipend.