Privacy & Confidentiality

Take home message: The University deals with a great deal of sensitive, private or confidential information that must be protected and used properly – not only because it is the right thing to do, but because there are many Federal and State laws and binding agreements that require us to protect certain information. Make sure you familiarize yourself with whatever requirements are relevant to the data or information you deal with in your U-M role, and comply with them.

U-M Policy and helpful links

  • Federal and state laws and regulations (as well as binding industry standards, and general ethical and privacy considerations) require U-M to apply certain safeguards around various categories of information. Most of these safeguards require a standard of “reasonable and appropriate” protection to be afforded.
  • The Institutional Data Resource Management Policy (SPG 601.12) and Privacy and the Need to Monitor and Access Records (SPG 601.11) provide the guiding principles for U-M’s handling of privacy.
  • Examples of four different levels of sensitive institutional data (Restricted, High, Moderate and Low), including personally identifiable information (PII), can be found at U-M Data Classifications by level.  See also this comprehensive table of information security and privacy laws, regulations, and standards organized by data classification levels, which require U-M compliance.
  • If privacy is breached, the University may have an obligation to inform the person whose information has been accessed. It is therefore important that any potential breaches of privacy be reported so that appropriate action can be taken. You can report an IT security incident; or for the Health System, to the Michigan Medicine Compliance Office (email); or for information related to human research subjects, to the Office of the Vice President for Research (email).
  • Be aware that as well as privacy laws and standards, U-M (or individual faculty, staff or students) may also enter a confidentiality or non-disclosure agreement, contracting to keep certain information confidential – and even though we voluntarily enter such agreements, once we have, they become as binding as any of our legislative privacy obligations. If you are asked to enter a confidentiality agreement on behalf of U-M, or personally in connection with a U-M project, you should seek advice first from the Office of the General Counsel.

Major categories of information or data requiring protection:

Student recordsProtected health informationPrivate personal informationConfidential or classified research dataCustomer informationCredit cardholder informationSSNsU-M employee privacy

Things to remember

  • All employees are responsible for protecting the personal information that U-M gathers and uses – it only takes a few details about an individual for a criminal to steal an identity: information that U-M faculty and staff compile, store and access regularly. Even if you think you already know about privacy, review the great guidance on the Safe Computing Privacy website.
  • Whenever you gather information (especially sensitive or private information), make sure you understand and clearly note the purpose(s) for which that information is being gathered. That way, you can ensure the information is used appropriately in the future – not only by you, but by others in your work team or across U-M who may have access to it.
  • All employees are responsible for organizing their work-related records so that they are accessible to those others in the University with a legitimate business need to access that information. This is something you should establish with your supervisor and work team, in accordance with SPG 601.11.
  • As a general rule, you should only be accessing information or records when you have a legitimate need to know or access that information – for instance, only accessing student records when there is a legitimate educational purpose, and only accessing U-M business records when there is a legitimate business purpose.
  • You should never be accessing the personal or scholarly records of another employee unless you have their permission, or some extenuating circumstances require it: see SPG 601.11 for more information.
  • Privacy regulations may apply to sensitive information that is stored or transmitted on any type of media – electronic, paper, microfiche, and even verbal communication.

People to talk to

For people to talk to about HIPAA, see the compliance page on HIPAA. For people to talk to about student records privacy, see the compliance page on FERPA.

For guidance or support around the IT security systems that support privacy compliance, contact your local level Security Unit Liaison, or another member of the U-M Security Community in your unit, or Information Assurance. See also the Compliance page on Information Assurance.

For advice more specifically related to access to data, copyright, preservation or destruction of information, refer to their specific compliance topic pages (as linked).

For legal assistance or advice relating to privacy, contact Jack Bernard in the Office of the General Counsel.


Established 3/4/11, last updated 7/19/18 – Contact us if you believe any information is incorrect or outdated