You are here

Home arrow image Sensitive Data Guide arrow image Researchers

Researchers

As U-M researcher, you are responsible for safeguarding information about your research, as well as university information that you may have access to. Use this Sensitive Data Guide to learn about appropriate services for storing and sharing sensitive research and other university information.

Commonly Used Data Types

Attorney/Client Privileged

Confidential communications between a client and an attorney for the purpose of securing legal advice. For the privilege of confidentiality to exist, the communication must be to, from, or with an attorney.

Export Controlled Research (ITAR or EAR)

Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it.

Federal Information Security Management Act (FISMA) Data

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for IT systems and store the data on U.S. soil. FISMA applies generally to federal contracts as opposed to grants.

Other University Sensitive Data

According to university policy, data will typically be classified as sensitive if any of the following are true:

  • Unauthorized disclosure may have serious adverse effects on the university’s reputation, resources, or services or on individuals
  • It is protected under federal or state regulations.
  • There are proprietary, ethical, or privacy considerations.

Private Personal Information (PPI)

Private Personal Information (PPI) is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. PPI should be accessed only on a strict need-to-know basis and handled with care.

PPI is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive.

Appropriate protection of PPI that is not publicly available is required by Laws and Regulations Related to Handling Sensitive Protected Data, contractual obligations, and university policies. These regulations apply to PPI stored or transmitted on any type of media: electronic, paper, microfiche, and even verbal communication.

Protected Health Information (HIPAA)

Protected Health Information (PHI) is any health information that can be linked to an identifiable individual, such as a patient receiving treatment at the U-M Health System. PHI is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA. Researchers can contact the UMHS Compliance Office with questions.

Sensitive Identifiable Human Subject Research

Individually identifiable research data containing sensitive information about human subjects. A human subject is a living individual about whom a researcher obtains data and information that can be used to identify him or her.

The researcher determines whether the data is sensitive or not, based on privacy and ethical considerations. This data type is governed by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

Social Security Numbers

Social Security Numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, social benefits, and other purposes.

Social Security Numbers are a primary target for identity thieves. They fall into the U-M category of sensitive Private Protected Information (PPI).

Student Education Records (FERPA)

Records that contain information directly related to a student and that are maintained by the University of Michigan or by a person acting for the university. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records. Directory information about a student is not regulated by FERPA and can be released by the university without the student's permission. Students can request non-disclosure from the U-M Registrar's Office.