All Data Types

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI), as defined by Executive Order 13556 (2010), is federal non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls directed at securing sensitive government information. CUI requirements do not apply directly to non-federal entities, but can flow down when U-M research projects receive, possess or create such information for or on behalf of the U.S. government under the terms of a contract, grant, or other agreement.

Data Steward: U-M Office of Research (UMOR) Research Information Oversight Program: [email protected].

Credit Card or Payment Card Industry (PCI) Information

Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry Data Security Standard (PCI DSS) and overseen by the University of Michigan Treasurer's Office. Credit or debit card numbers cannot be stored in any electronic format without the expressed, written consent of the U-M Treasurer's Office. That office is responsible for the only PCI-compliant environment at the university.

If your unit wants to start accepting credit card payments, contact the University of Michigan Treasurer's Office to arrange for this. You cannot handle the transactions using departmental computers.

Restrictions listed here do not apply to your own personal credit card information. However, it is recommended that you follow the same precautions with regard to your own personal information as you would with university data.

Data Steward: University Treasurer: [email protected]

Export Controlled Research (regulated by ITAR, EAR)

Export Controlled Research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it.

Data Steward: U-M Research Ethics and Compliance, Export Control Officer: [email protected]

Federal Information Security Management Act (FISMA) Data

The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil. This means that, under some federal contracts or grants, information the university collects or information systems that the university uses to process or store research data need to comply with FISMA.

Whether data is regulated by FISMA is typically called out in a Request for Proposal (RFP) or in contract or grant language. It is important that researchers review grant and contract language closely to identify FISMA or other information security requirements.

Data Steward: U-M Office of Research (UMOR) Research Information Oversight Program: [email protected].

IT Security Information

IT Security Information consists of information that is generated as a result of automated or manual processes that are intended to safeguard the university’s IT resources. It includes settings, configurations, reports, log data, and other information that supports IT security operations.

Passwords, a particular type of IT Security Information, should not be permanently stored in any online storage service. Normally passwords should not need to be conveyed from one person to another; people should set their own initial password and use account recovery for forgotten passwords. However, in cases where a hand-off between two persons is unavoidable, passwords may be electronically conveyed as long as certain conditions are met:

  • A password can be put in a Dropbox at U-M Paper and shared with the person it is for if the Paper is deleted after five days.
  • A password can be sent via Gmail at U-M only if Virtru encryption is used, forwarding is disabled, and the message is set to expire after five days.
  • Password recipients should be advised to change their password immediately on first use.

Data Steward: Information Assurance

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. PII should be accessed only on a strictly need-to-know basis and handled and stored with care.

PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive. Note that UMID numbers by themselves are not considered sensitive or personally identifiable information. While Social Security numbers are a type of PII, the legal requirements for protecting them are much more stringent than for other PII.

University policies, contractual obligations, and information security laws and regulations require appropriate protection of PII that is not publicly available.  These regulations apply to PII stored or transmitted via any type of media: electronic, paper, microfiche, and even verbal communication.

PII does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Data Stewards: Human Resources, Information Assurance

Protected Health Information (PHI, regulated by HIPAA)

Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the

  • Past, present, or future physical or mental health or condition of an individual.
  • Provision of health care to the individual by a covered entity (for example, hospital or doctor).
  • Past, present, or future payment for the provision of health care to the individual.

Researchers should be aware that health and medical information about research subjects may also be regulated by HIPAA.

Data Steward: Michigan Medicine Corporate Compliance: [email protected]

Sensitive Identifiable Human Subject Research

Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data.

A human subject is defined by federal regulations as a "living individual about whom an investigator (whether professional or student) conducting research obtains (1) data through intervention or interaction with the individual, or (2) identifiable private information.”

“Identifiable” means the information contains one or more data elements that can be combined with other reasonably available information to identify an individual (for example, Social Security number, health care record).

Personally identifiable data is sensitive if disclosure of such data would pose increased social/reputational, legal, employability, or insurability risk to subjects.

Data Steward: U-M Research Ethics and Compliance, Human Research Protection Program (HRPP): [email protected]