Privacy & Confidentiality
Take home message: The University deals with a great deal of sensitive, private or confidential information that must be protected and used properly - not only because it is the right thing to do, but because there are many Federal and State laws and binding agreements that require us to protect certain information. Make sure you familiarize yourself with whatever requirements are relevant to the data or information you deal with in your U-M role, and comply with them.
- Federal and state laws and regulations (as well as binding industry standards, and general ethical and privacy considerations) require U-M to apply certain safeguards around various categories of information. Most of these safeguards require a standard of "reasonable and appropriate" protection to be afforded.
- The Institutional Data Resource Management Policy (SPG 601.12) provides the guiding principles for U-M's handling of privacy. The Policy also sets out the different classifications of data: sensitive, private/confidential, and public. See this ITS page on data classification for more information (requires login).
- Examples of the different types of sensitive data (including private personal information) are maintained by Information and Infrastructure Assurance (IIA), including links to other information sources. IIA also compiles a summary of laws requiring security measures to be applied around various categories of information, through their Compliance Table (requires login).
- If privacy is breached, the University may have an obligation to inform the person whose information has been accessed. It is therefore important that any potential breaches of privacy be reported so that appropriate action can be taken. You can report it to your supervisor, Security Unit Liaison or IT Security; or for the Health System, to the UMHS Compliance Office (email); or for information related to human research subjects, to the Office of the Vice President for Research (email).
- Be aware that as well as privacy laws and standards, U-M (or individual faculty, staff or students) may also enter a confidentiality or non-disclosure agreement, contracting to keep certain information confidential - and even though we voluntarily enter such agreements, once we have, they become as binding as any of our legislative privacy obligations. If you are asked to enter a confidentiality agreement on behalf of U-M, or personally in connection with a U-M project, you should seek advice first from the Office of the General Counsel.
Major categories of information or data requiring protection:
Student records -- Protected health information -- Private personal information -- Confidential or classified research data -- Customer information -- Credit cardholder information -- SSNs -- U-M employee privacy
- Student records, which is protected under the Family Educational Rights and Privacy Act (FERPA) - the University Registrar oversees compliance with this law; for more information, see the compliance page on Student Records.
- Protected health information (PHI), which is protected under the Health Insurance Portability and Accountability Act (HIPAA) - the UMHS Compliance Office oversees compliance with this law; for more information, see the compliance page on HIPAA.
- Private personal information (PPI), which is protected by the MI Identity Theft Protection Act (MCL 445.63) and analogous laws in other states. For more information, see the U-M Privacy Matters site, which contains practical resources and guidance on managing PPI. See also the Institutional Data Resource Management Policy (SPG 601.12) and the Standard Practice Guide on Privacy and the Need to Monitor and Access Records (SPG 601.11) for U-M's policy requirements. You can read more detail about the types of personal and sensitive data that requires protecting, including for different categories of people (such as students, employees, patients, research subjects and donors) on the IT Security - Sensitive Data Examples page.
- Confidential or classified research data, including confidential intellectual property and trade secrets, which may be protected by the MI Confidential Research & Investment Information Act (CRIA) as well as by research funding agreements related to classified or confidential research projects. For more information, see the Office of Research and Sponsored Projects (ORSP) websites on CRIA and classified research. See also the ORSP sites on working with sponsors, which discusses confidentiality, particularly related to industry sponsors.
- Customer information (that is, personal information provided by customers as part of a financial transaction, such as student loans or parental tuition payments), which is protected by the Gramm-Leach-Bliley Act (GLBA). The University Registrar oversees compliance with this law; for more information, see U-M's Information Security Program for the GLBA, the GLBA regulations, or contact the Registrar.
- Credit cardholder information, which is protected by the Payment Card Industry Data Security Standard (PCI-DSS) - the University Treasurer oversees compliance with this standard; for more information, see the Treasurer's merchant services website, which includes U-M's official PCI compliance document.
- U-M employee privacy - the Standard Practice Guide on Privacy and the Need to Monitor and Access Records (SPG 601.11) defines the rights, responsibilities and expectations of the University and its employees regarding the conditions under which they may access records and monitor record systems.
- All employees are responsible for protecting the personal information that U-M gathers and uses - it only takes a few details about an individual for a criminal to steal an identity: information that U-M faculty and staff compile, store and access regularly. Even if you think you already know about privacy, review the great guidance on the Privacy Matters website.
- Whenever you gather information (especially sensitive or private information), make sure you understand and clearly note the purpose(s) for which that information is being gathered. That way, you can ensure the information is used appropriately in the future - not only by you, but by others in your work team or across U-M who may have access to it.
- All employees are responsible for organizing their work-related records so that they are accessible to those others in the University with a legitimate business need to access that information. This is something you should establish with your supervisor and work team, in accordance with SPG 601.11.
- As a general rule, you should only be accessing information or records when you have a legitimate need to know or access that information - for instance, only accessing student records when there is a legitimate educational purpose, and only accessing U-M business records when there is a legitimate business purpose.
- You should never be accessing the personal or scholarly records of another employee unless you have their permission, or some extenuating circumstances require it: see SPG 601.11 for more information.
- Privacy regulations may apply to sensitive information that is stored or transmitted on any type of media - electronic, paper, microfiche, and even verbal communication.
For guidance or support around the IT security systems that support privacy compliance, contact your local level Security Unit Liaison, or another member of the U-M Security Community in your unit, or Information and Infrastructure Assurance. See also the compliance page on Information and Infrastructure Assurance.