Sensitive Regulated Data: Permitted and Restricted Uses

Standard number: DS-06
Date issued: 1/3/12
Date last reviewed: 8/26/14
Version: 1.4
Approval authority: CIO and Associate Vice President for ITS
Responsible office: Information and Infrastructure Assurance
Printable copy: Sensitive Regulated Data: Permitted and Restricted Uses (PDF)

I. Purpose

The university engages in research, teaching, clinical, and business activities that encompass a variety of sensitive regulated data. This standard defines permitted and restricted uses of such university-owned data, including the IT environments in which these data are maintained by university faculty and staff.

This standard is governed by the following university SPGs:

For a complete set of university SPGs that support this standard, see Section VII: References.

By implementing this standard, the university establishes a university-wide framework to comply with federal, state, and local law, and/or university policies or agreements that require the university to implement specific privacy and security safeguards.

II. Scope and Authority

This standard applies to all faculty, researchers, staff, students, and workforce members of the U-M, including the Health System.

Information and Infrastructure Assurance, a division of Information and Technology Services, is responsible for the maintenance and interpretation of this standard.

III. Standard

Members of the university community have individual and shared responsibilities to

IV. Violation of the Standard - Misuse of Information

In accordance with SPG 601.07, Responsible Use of Information Resources, the university characterizes certain activities related to misuse of regulated data as unethical and unacceptable. Violations of this standard may result in disciplinary action up to and including non-reappointment, discharge, dismissal, and/or legal action.

V. Definitions

  1. Sensitive Regulated Data: For purposes of this standard, "sensitive regulated data" is defined as data that requires the university to implement specific privacy and security safeguards as mandated by federal, state, and/or local law, or university policy or agreement. Regulations or categories of data most applicable to U-M include:
    1. Family Educational Rights and Privacy Act (FERPA)
    2. Health Insurance Portability and Accountability Act (HIPAA)
    3. Social Security Numbers (SSNs)
    4. Gramm Leach Bliley Act (read about GLBA Compliance at U-M)
    5. Payment Card Industry Data Security Standards (PCI-DSS)
    6. Sensitive Identifiable Human Subject Research
    7. Export Controlled Research - International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)
  2. IT Environment: For purposes of this standard, "IT environment" means any IT service directly maintained by the university, under contract or agreement with U-M, or that is personally-owned or maintained.
  3. University-owned: For purposes of this standard, "university-owned" data means any data that is created or maintained under the auspices of an individual's institutional role as a university employee or affiliate.
  4. Personally-owned: For purposes of this standard, "personally-owned" means any device, mobile or otherwise, or service that is not governed by a university contract or agreement.

VI. Additional Resources

See Information Security Laws and Regulations Related to Handling Sensitive Data for specific definitions and real-life examples of the regulated and sensitive data types included in the U-M standard.

Additional information about this standard, and how it is to be applied and interpreted, is provided in Safely Use the Cloud. The FAQ will be regularly updated to include new recurring questions asked by U-M faculty and staff.

VII. References

The Sensitive Data Guide to IT Services helps you make informed decisions about where to safely store and share sensitive regulated and non-regulated data using IT services available on the U-M Ann Arbor campus.