Sensitive Regulated Data: Permitted and Restricted Uses

Standard number: Data Security (DS)-06
Date issued: 1/3/12
Date last reviewed: 8/26/14
Version: 1.4
Approval authority: CIO and Associate Vice President for ITS
Responsible office: Information and Infrastructure Assurance
  1. Purpose
    The university engages in research, teaching, clinical, and business activities that encompass a variety of sensitive regulated data. This standard defines permitted and restricted uses of such university-owned data, including the IT environments in which these data are maintained by university faculty and staff.

    This standard is governed by the following university SPGs:

    For a complete set of university SPGs that support this standard, see Section VII: References.

    By implementing this standard, the university establishes a university-wide framework to comply with federal, state, and local law, and/or university policies or agreements that require the university to implement specific privacy and security safeguards.

  2. Scope and Authority
    This standard applies to all faculty, researchers, staff, students, and workforce members of the U-M, including the Health System.

    Information and Infrastructure Assurance, a division of Information and Technology Services, is responsible for the maintenance and interpretation of this standard.

  3. Standard
    Members of the university community have individual and shared responsibilities to
  4. Violation of the Standard - Misuse of Information
    In accordance with SPG 601.07, Responsible Use of Information Resources, the university characterizes certain activities related to misuse of regulated data as unethical and unacceptable. Violations of this standard may result in disciplinary action up to and including non-reappointment, discharge, dismissal, and/or legal action.
  5. Definitions
    1. Sensitive Regulated Data: For purposes of this standard, "sensitive regulated data" is defined as data that requires the university to implement specific privacy and security safeguards as mandated by federal, state, and/or local law, or university policy or agreement. Regulations or categories of data most applicable to U-M include:
      1. Family Educational Rights and Privacy Act (FERPA)
      2. Health Insurance Portability and Accountability Act (HIPAA)
      3. Social Security Numbers (SSNs)
      4. Gramm Leach Bliley Act (read about GLBA Compliance at U-M)
      5. Payment Card Industry Data Security Standards (PCI-DSS)
      6. Sensitive Identifiable Human Subject Research
      7. Export Controlled Research - International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)
    2. IT Environment: For purposes of this standard, "IT environment" means any IT service directly maintained by the university, under contract or agreement with U-M, or that is personally-owned or maintained.
    3. University-owned: For purposes of this standard, "university-owned" data means any data that is created or maintained under the auspices of an individual's institutional role as a university employee or affiliate.
    4. Personally-owned: For purposes of this standard, "personally-owned" means any device, mobile or otherwise, or service that is not governed by a university contract or agreement.
  6. Additional Resources
    See Information Security Laws and Regulations Related to Handling Sensitive Data for specific definitions and real-life examples of the regulated and sensitive data types included in the U-M standard.

    Additional information about this standard, and how it is to be applied and interpreted, is provided in Safely Use the Cloud. The FAQ will be regularly updated to include new recurring questions asked by U-M faculty and staff.

  7. References
    1. Responsible Use of Information Resources (SPG 601.07)
    2. Institutional Data Resource Management Policy (SPG 601.12)
    3. Information Security Policy (SPG 601.27)
    4. Information Security Incident Reporting Policy (SPG 601.25)
    5. Social Security Number Privacy and Protection (DS-10)
    6. Defense and Indemnification (SPG 601.9)

The Sensitive Data Guide to IT Services helps you make informed decisions about where to safely store and share sensitive regulated and non-regulated data using IT services available on the U-M Ann Arbor campus.