Take home message: The University deals with a great deal of sensitive, private or confidential information that must be protected and used properly – not only because it is the right thing to do, but because there are many Federal and State laws and binding agreements that require us to protect certain information. Make sure you familiarize yourself with whatever requirements are relevant to the data or information you deal with in your U-M role, and comply with them.
- Federal and state laws and regulations (as well as binding industry standards, and general ethical and privacy considerations) require U-M to apply certain safeguards around various categories of information. Most of these safeguards require a standard of “reasonable and appropriate” protection to be afforded.
- The Institutional Data Resource Management Policy (SPG 601.12) and Privacy and the Need to Monitor and Access Records (SPG 601.11) provide the guiding principles for U-M’s handling of privacy.
- Examples of four different levels of sensitive institutional data (Restricted, High, Moderate and Low), including personally identifiable information (PII), can be found at U-M Data Classifications by level. See also this comprehensive table of information security and privacy laws, regulations, and standards organized by data classification levels, which require U-M compliance.
- If privacy is breached, the University may have an obligation to inform the person whose information has been accessed. It is therefore important that any potential breaches of privacy be reported so that appropriate action can be taken. You can report an IT security incident; or for the Health System, to the Michigan Medicine Compliance Office (email); or for information related to human research subjects, to the Office of the Vice President for Research (email).
- Be aware that as well as privacy laws and standards, U-M (or individual faculty, staff or students) may also enter a confidentiality or non-disclosure agreement, contracting to keep certain information confidential – and even though we voluntarily enter such agreements, once we have, they become as binding as any of our legislative privacy obligations. If you are asked to enter a confidentiality agreement on behalf of U-M, or personally in connection with a U-M project, you should seek advice first from the Office of the General Counsel.
Major categories of information or data requiring protection:
Student records — Protected health information — Private personal information — Confidential or classified research data — Customer information — Credit cardholder information — SSNs — U-M employee privacy
- Student records, which are protected under the Family Educational Rights and Privacy Act (FERPA) – the University Registrar oversees compliance with this law; for more information, see the Compliance page on Student Records.
- Protected health information (PHI), which is protected under the Health Insurance Portability and Accountability Act (HIPAA) – the Michigan Medicine Compliance Office oversees compliance with this law; for more information, see the Compliance page on HIPAA.
- Personally Identifiable Information (PII), which is protected by the MI Identity Theft Protection Act (MCL 445.63) and analogous laws in other states. For more information, see U-M Privacy site, which contains practical resources and guidance on managing PII. See also the Institutional Data Resource Management Policy (SPG 601.12) and Privacy and the Need to Monitor and Access Records (SPG 601.11) for U-M’s policy requirements. You can read more detail about the types of personal and sensitive data that requires protecting, including for different categories of people (such as students, employees, patients, research subjects and donors)on the examples of sensitive data by U-M role page.
- Confidential or classified research data, including confidential intellectual property and trade secrets, which may be protected by the MI Confidential Research & Investment Information Act (CRIA) as well as by research funding agreements related to classified or confidential research projects. For more information, see the Office of Research and Sponsored Projects (ORSP) websites on CRIA and classified research. See also the ORSP sites on working with sponsors, which discusses confidentiality, particularly related to industry sponsors.
- Customer information (that is, personal information provided by customers as part of a financial transaction, such as student loans or parental tuition payments), which is protected by the Gramm-Leach-Bliley Act (GLBA). The Office of Student Financial Services oversees compliance with this law; for more information, see U-M’s Information Security Program for the GLBA, the GLBA regulations, or contact the Student Financial Services.
- Credit cardholder information, which is protected by the Payment Card Industry Data Security Standard (PCI-DSS) – the University Treasurer oversees compliance with this standard; for more information, see the Treasurer’s Merchant Services website, which includes U-M’s official PCI compliance document.
- Social security numbers (SSN), which are protected by the MI Social Security Number Privacy Act (MCL 445.81) and analogous laws in other states. U-M’s SSN management is governed by the Social Security Privacy and Protection Standard.
- U-M employee privacy – the Standard Practice Guide on Privacy and the Need to Monitor and Access Records (SPG 601.11) defines the rights, responsibilities and expectations of the University and its employees regarding the conditions under which U-M may access records and monitor record systems.
- All employees are responsible for protecting the personal information that U-M gathers and uses – it only takes a few details about an individual for a criminal to steal an identity: information that U-M faculty and staff compile, store and access regularly. Even if you think you already know about privacy, review the great guidance on the Safe Computing Privacy website.
- Whenever you gather information (especially sensitive or private information), make sure you understand and clearly note the purpose(s) for which that information is being gathered. That way, you can ensure the information is used appropriately in the future – not only by you, but by others in your work team or across U-M who may have access to it.
- All employees are responsible for organizing their work-related records so that they are accessible to those others in the University with a legitimate business need to access that information. This is something you should establish with your supervisor and work team, in accordance with SPG 601.11.
- As a general rule, you should only be accessing information or records when you have a legitimate need to know or access that information – for instance, only accessing student records when there is a legitimate educational purpose, and only accessing U-M business records when there is a legitimate business purpose.
- You should never be accessing the personal or scholarly records of another employee unless you have their permission, or some extenuating circumstances require it: see SPG 601.11 for more information.
- Privacy regulations may apply to sensitive information that is stored or transmitted on any type of media – electronic, paper, microfiche, and even verbal communication.
For guidance or support around the IT security systems that support privacy compliance, contact your local level Security Unit Liaison, or another member of the U-M Security Community in your unit, or Information Assurance. See also the Compliance page on Information Assurance.
Established 3/4/11, last updated 7/19/18 – Contact us if you believe any information is incorrect or outdated