Privacy & Confidentiality

Take home message: The University deals with a great deal of sensitive, private or confidential information that must be protected and used properly – not only because it is the right thing to do, but because there are many Federal and State laws and binding agreements that require us to protect certain information. Make sure you familiarize yourself with whatever requirements are relevant to the data or information you deal with in your U-M role, and comply with them.

U-M Policy and helpful links

  • Federal and state laws and regulations (as well as binding industry standards, and general ethical and privacy considerations) require U-M to apply certain safeguards around various categories of information. Most of these safeguards require a standard of “reasonable and appropriate” protection to be afforded.
  • The Institutional Data Resource Management Policy (SPG 601.12) provides the guiding principles for U-M’s handling of privacy. The Policy also sets out the different classifications of data: sensitive, private/confidential, and public.
  • Examples of the different types of sensitive data (including private personal information) are maintained by Information and Infrastructure Assurance (IIA), including links to other information sources. IIA also compiles a summary of laws requiring security measures to be applied around various categories of information, through their Compliance Table (requires login).
  • If privacy is breached, the University may have an obligation to inform the person whose information has been accessed. It is therefore important that any potential breaches of privacy be reported so that appropriate action can be taken. You can report it to your supervisor, Security Unit Liaison or IT Security; or for the Health System, to the UMHS Compliance Office (email); or for information related to human research subjects, to the Office of the Vice President for Research (email).
  • Be aware that as well as privacy laws and standards, U-M (or individual faculty, staff or students) may also enter a confidentiality or non-disclosure agreement, contracting to keep certain information confidential – and even though we voluntarily enter such agreements, once we have, they become as binding as any of our legislative privacy obligations. If you are asked to enter a confidentiality agreement on behalf of U-M, or personally in connection with a U-M project, you should seek advice first from the Office of the General Counsel.

Major categories of information or data requiring protection:

Student recordsProtected health informationPrivate personal informationConfidential or classified research dataCustomer informationCredit cardholder informationSSNsU-M employee privacy

Things to remember

  • All employees are responsible for protecting the personal information that U-M gathers and uses – it only takes a few details about an individual for a criminal to steal an identity: information that U-M faculty and staff compile, store and access regularly. Even if you think you already know about privacy, review the great guidance on the Privacy Matters website.
  • Whenever you gather information (especially sensitive or private information), make sure you understand and clearly note the purpose(s) for which that information is being gathered. That way, you can ensure the information is used appropriately in the future – not only by you, but by others in your work team or across U-M who may have access to it.
  • All employees are responsible for organizing their work-related records so that they are accessible to those others in the University with a legitimate business need to access that information. This is something you should establish with your supervisor and work team, in accordance with SPG 601.11.
  • As a general rule, you should only be accessing information or records when you have a legitimate need to know or access that information – for instance, only accessing student records when there is a legitimate educational purpose, and only accessing U-M business records when there is a legitimate business purpose.
  • You should never be accessing the personal or scholarly records of another employee unless you have their permission, or some extenuating circumstances require it: see SPG 601.11 for more information.
  • Privacy regulations may apply to sensitive information that is stored or transmitted on any type of media – electronic, paper, microfiche, and even verbal communication.

People to talk to

For people to talk to about HIPAA, see the compliance page on HIPAA. For people to talk to about student records privacy, see the compliance page on FERPA.

For guidance or support around the IT security systems that support privacy compliance, contact your local level Security Unit Liaison, or another member of the U-M Security Community in your unit, or Information and Infrastructure Assurance. See also the compliance page on Information and Infrastructure Assurance.

For advice more specifically related to access to data, copyright, preservation or destruction of information, refer to their specific compliance topic pages (as linked).

For legal assistance or advice relating to privacy, contact Jack Bernard in the Office of the General Counsel.

Established 3/4/11, last updated 3/1/17 – Contact us if you believe any information is incorrect or outdated