Recent Updates to the Sensitive Data Guide

We continue to update the Sensitive Data Guide with information about new services and changes to where data may be shared and stored. Here is a record of updates:

February 19, 2021: Removed the Statistics and Computation Service entry. This service was retired on January 31, 2021.

January 26, 2021: Updated the Virtru at U-M entry with additional guidance to update your Technology Control Plan and contact the U-M Export Control Board before using it with Export Controlled Research.

January 22, 2021: Added a new service entry: Microsoft Teams at U-M.

January 11, 2021: Updated the following data type names to clarify difference between acronyms for the data type versus those for regulations that regulate those data types: 

  • Export Controlled Research (ITAR, EAR) --> Export Controlled Research (regulated by ITAR, EAR)
  • Protected Health Information (HIPAA) --> Protected Health Information (PHI, regulated by HIPAA)
  • Student Education Records (FERPA) --> Student Education Records (regulated by FERPA)
  • Student Loan Application Information (GLBA) --> Student Loan Application Information (regulated by GLBA)

January 11, 2021: Updated the Virtru at U-M and Export Controlled Research  (ITAR, EAR) entries. Virtru at U-M has been approved for use with Export Controlled Research.

January 5, 2021: Removed the Zoom for Health at U-M entry and updated the Zoom at U-M entry. The two services have been consolidated, and Zoom at U-M can now be used for Protected Health Information (HIPAA).

October 16, 2020: Updated Electronic Research Notebook at U-M to permit Student Education Records (FERPA).

September 25, 2020: Updated the name of the Personal Accounts entry to remove the examples (which included Dropbox) now that U-M offers a Dropbox at U-M service. It was previously named "Personal Accounts (Dropbox, Slack, etc.)" Also removed Dropbox from the list of examples of personal accounts in the description.

September 18, 2020: Removed the Dedoose service entry. It no longer meets the criteria for being in the guide as it is not widely used at U-M.

September 16, 2020: Removed the CTools service entry. The CTools service will be officially retired on September 22, 2020.

September 9, 2020: Added a link to the new eLearning course about FERPA from the Registrat's Office (RO100 FERPA at U-M) to the Additional Resources section of the Student Education Records (FERPA) entry.

August 27, 2020:

August 25, 2020: Added information about Dropbox Team Folders (which should be used for some types of data) to the Dropbox at U-M service page. This feature is now available to members of the U-M community.

August 18, 2020: Added a data example to the FERPA entry: Recordings of class activity. Also provided a link to a new page on Safe Computing with guidance for instructors.

July 15, 2020: Updated a service name that changed. The service formerly known as SignNow at U-M is now called E-signature Service - SignNow.

June 18, 2020: Added the Dropbox at U-M service.

May 11, 2020: Added the new TeamDynamix at U-M service.

May 6, 2020: Updated the Zoom at U-M, Zoom for Health at U-M, and BlueJeans Videoconferencing service entries with links to lists of restricted countries for those services. People in the restricted countries are unable to use those videoconferencing services for regulatory reasons.

April 30, 2020: Updated the Zoom at U-M and Zoom for Health at U-M service entries with information about Zoom webinars, which can be used for public events only.

April 1, 2020: Added the new Zoom for Health at U-M service and updated the name of the other Zoom service to Zoom at U-M.

March 31, 2020: Updated the BlueJeans Videoconferencing entry with a note that PHI may not be used in BlueJeans Events and added a link to new support documentation from BlueJeans about encrypting meetings.

March 17, 2020. Added the Zoom service.

March 13, 2020: Added the Adobe Cloud Storage service. Also updated the Cloud Storage Included with Software page to link to the new service entry.

March 12, 2020: Updated Microsoft Office 365 at U-M to include information about add-ins and about use of the local desktop version, Office 365 Pro Plus.

March 9, 2020: Updated the Cloud Storage Included with Software page to indicate that Adobe Creative Cloud software is now available to all faculty, staff, and students.

March 6, 2020: Added information about the Michigan Medicine instance of ServiceNow to ServiceNow.

February 12, 2020: Updated the entry for the Document Imaging System to show that Export Control Research and IT Security Information are not allowed on it.

January 7, 2020: Updated entry for Armis2 to show HIPAA data is allowed only with IA consultation, not simply "permitted."

December 17, 2019: Added an entry for Armis2, which has replaced Armis.

December 6, 2019: Removed the entries for Armis and Flux because these services are closed.

November 18, 2019: Added the LastPass at Michigan Medicine service.

Septempber 25, 2019: Corrected error for Personally Identifiable Information (PII) and Dedoose. The guide had indicated in error that PII was not allowed on Dedoose. Dedoose is permitted for PII.

June 12, 2019: Added a link to Ethics, Integrity & Compliance from these data-type pages: Student Education Records (FERPA)Protected Health Information (HIPAA)Student Loan Application Information (GLBA), and Sensitive Identifiable Human Subject Research.

June 12, 2019: Added a "privileged credentials" bullet item to the list of examples for IT Security Information.

June 10, 2019: Added the Microsoft Office 365 at U-M service.

May 30, 2019: Updated the name of MiStorage (CIFS) to be MiStorage CIFS with AWS S3 Cloud Storage Integration

February 27, 2019: Removed all mentions of Inbox by GMail from the Google Mail and Calendar at U-M entry. Google is discontinuing Inbox by Gmail as of the end of March 2019.

January 15, 2019: Updated the Personally Owned Devices (phone, tablet, laptop, etc.) entry to indicate that it includes Internet of Things devices.

January 14, 2019: Corrected an error. Dedoose was listed as not permitted for Social Security numbers. Actually, Dedoose is permitted for use with SSNs with IA consultation.

December 12, 2018: In MiDatabase Compliance section, removed the direction to consult with IA before using this service for HIPAA data.

December 12, 2018: On the Turbo Research page, Compliance section, adjusted the definition of the data restriction to prohibit Restricted, High, or Moderate data storage on this service.

December 4, 2018: Updated listing for Azure to note that it is in review for use with HIPAA data but that such use is not permitted at this time.

October 18, 2018: Updated the service description and the compliance information in the Personal Accounts entry to better reflect the defining characteristic of such accounts—that there is no contract in place between the account provider and the university to protect sensitive information and meet regulatory compliance requirements.

October 16, 2018: Added cloud storage caveats to MiStorage (CIFS) and MiStorage (NFS) Compliance sections.

September 10, 2018: Changed the "Imaging Services" service name to  "Document Imaging System" because the name of the service changed.

August 13, 2018: Updated Qualtrics page based on feedback from Ben Havens in Michigan Medicine Corporate Compliance.

August 7, 2018: The now-retired standard DS-06 has been removed from the "Related" section of the sidebar.

July 18, 2018: Updated the Globus entry to indicate that it is not permitted for use with Sensitive Identifiable Human Subject Research.

July 13, 2018: Changed MiStorage (CIFS) and MiStorage (NFS) from old naming convention (MiStorage with CIFS/NFS) and removed mentions of silver and gold options.

May 15, 2018: Changed Federal Information Security Management Act (FISMA) Data to "Permitted with IA Consultation" with the Amazon Web Services GovCloud at U-M and Google Cloud Platform at U-M services.

April 30, 2018: Added a new sensitive data type: Controlled Unclassified Information (CUI). Also added a new service: Yottabyte Research Cloud. The Yottabyte Research Cloud is the only service permitted for use with CUI.

April 10, 2018: Added the Perusall service.

March 27, 2018: Changed two service names to make it clearer which services are actually included. Changed "Google Additional Services (Non-Core)" to "Google Non-Core Services." Changed "Google Sites, Talk/Hangouts, Groups, Tasks, Classroom at U-M" to " Google at U-M Core Services."

March 21, 2018: Updated the MiVideo entry to indicate that Cielo24 is covered by U-M's contract with Kaltura for the MiVideo service.

February 22, 2018: Added the data steward for each sensitive data type.

January 12, 2018: Updated to indicate that Desktop Backup (Powered by CrashPlan) is not permitted with Federal Information Security Management Act (FISMA) data.

January 11, 2018: Added two cloud services: Google Cloud Platform at U-M and Microsoft Azure at U-M.

January 8, 2018: Added the Electronic Research Notebook at U-M service.

December 6, 2017: Changed the page layours for this guide based on recommendations from students in a School of Information user experience class. The changes move the information that is used most frequently to the tops of the pages.

Also updated the PII and Social Security numbers pages to indicate that although SSN's are a type of PII, they have more stringent legal requirements.

November 21, 2017: Updated the link to Imaging Services on the Imaging Services entry to point to this imaging services page. This is a newer, more up-to-date page for this service.

September 19, 2017: Removed "M Cloud" from the two Amazon Web Services entries. ITS is no longer using that name. Also added a link to a new PCI Assurance page from the Credit Card or Payment Card Industry (PCI) Information entry.

June 12, 2017: Added the Gradescope service.

May 25, 2017: Added the Dedoose service.

May 19, 2017: Added the Piazza Q&A service.

April 20, 2017: Added a recommendation to the two M Cloud service entries to use a Center for Internet Security (CIS)-compliant image with Amazon EC2.

April 2017: Updated mentions of Information and Infrastructure Assurance (IIA) to Information Assurance (IA).

April 17, 2017: Updated the following links on the Box at U-M Core Apps page: Official Box Apps, Shared Accounts in U-M Box, and Box at U-M.

March 31, 2017: The name of the Desktop Virtualization (VDI) service has changed to MiDesktop. Updated the service name.

March 28, 2017: Added the SignNow (E-Signature) service.

February 2, 2017: Removed "Guidance provided here applies only to those on the U-M Ann Arbor campus" from the guide's home page. The guide is being expanded to provide guidance for all U-M campuses.

January 18, 2017: Desktop Virtualization (VDI) is not permitted for use with FISMA data. Updated the guide to reflect this. It formerly said this use was permitted with IIA consultation.

December 2, 2016: Updated the UMHS AirWatch information in the Personally Owned Devices (phone, tablet, laptop, etc.) entry.

November 16, 2016: Removed the "Virtualization as a Service (VaaS)" service entry; this service has been retired and is no longer available.

October 27, 2016: Personally Owned Devices (phone, tablet, laptop, etc.) page was updated with two new items under "Description of Compliance." One each for PCI data and for Export Controlled Data. 

October 12, 2016: The Box at U-M Core Apps entry was updated to emphasize the need to use shared accounts, rather than individual accounts, for storing and sharing sensitive university data.

September 12, 2016: Removed the Sitemaker service entry because the service has been discontinued.

September 7, 2016: Updated the Google Mail and Calendar at U-M to include Inbox by GMail. Inbox by GMail is considered a Core Service and is covered by the university’s Google Apps for Education agreement.

August 29, 2016: The M Cloud Amazon Web Services (AWS) service should not be used with FISMA data. The guide was updated to reflect this.

August 16, 2016: Changed M+Box to Box at U-M and M+Google to Google at U-M to reflected changed naming and branding for those services.

July 29, 2016: Added to the Box at U-M Core Apps entry that it is highly recommended that people use a shared Box at U-M account that has been set up for sensitive data.

July 22, 2016: Updated the Private Personal Information (PPI) data type with some additional examples of PPI, including IP address, location, and more.

July 8, 2016: Renamed the Private Personal Information (PPI) data type. That data type is now named Personally Identifiable Information (PII).

July 5, 2016: Updated a link in the Social Security Numbers entry. The SSN policy in the U-M Standard Practice Guide has been retired and replaced with a new standard: Social Security Number Privacy and Protection (DS - 10).

June 22, 2016: Updated the description of Sensitive Identifiable Human Subject Research.

June 17, 2016: Removed a paragraph from the Box at U-M Core Apps entry about appropriate use of an option within Box at U-M to create Google Docs and other files using online Microsoft Office programs because this option is no longer available.

May 12, 2016: Added a new service entry for Imaging Services.

May 11, 2016: Updated the Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos service entry to reflect availability of using the CIFS protocol. the service name was changed toTurbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos or CIFS.

April 20, 2016: Removed the note about consulting with IIA to document data sets and locations for HIPAA data from the MiStorage (for Some Sensitive Data) with CIFS and Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos services. 

March 17, 2016: Changed the name of the TSM backup service to MiBackup and updated the link to service information to reflect the service's new name and branding.

Februry 22, 2016: Updated the description of the Sensitive Identifiable Human Subject Research data type.

February 1, 2016: Added the Armis service. The Armis high performance computing cluster, in conjunction with Turbo Research Storage with NFSv4+Kerberos, provides a secure, scalable, high-performance, distributed computing environment that aligns with HIPAA privacy standards.

January 27, 2016: Updated the Box at U-M Core Apps entry to note that when you use the option within Box at U-M to create Microsoft Office or Google files or documents, you are using services outside of Box at U-M and must be aware that those other services have different sensitive data restrictions from Box at U-M.

January 14, 2016: Updated the names of the MiStorage with CIFS and Turbo Research Storage with NFSv4+Kerberos entries in the guide to indicate that they are intended for storage of some types of sensitive data (as opposed to the versions of those services that use other protocols).

November 11, 2015: Added the Statistics and Computation Service entry to provide guidance about appropriate use. The Statistics and Computation Service is not intended for storage of sensitive university data.

October 30, 2015: Updated the Blue Jeans Video Conferencing entry. U-M's agreement with Blue Jeans now includes a Business Associate Agreement. This means individuals may use this service to share Protected Health Information (PHI) regulated by HIPAA.

Added the Andrew File System (AFS) service to provide guidance about appropriate use. AFS is not intended for storage of sensitive university data.

September 21, 2015: Added two new services: Turbo Research Storage with NFS and Turbo Research Storage with NFSv4+Kerberos.

June 26, 2015: Added a new entry for Cloud Storage Included with Software. Cloud-based storage that is provided as part of a user license or subscription (that is, storage that is tied to a named individual or group account) should not be used to maintain or share the university's sensitive data.

June 24, 2015: Revised the entry for Google at U-M Additional Services (Non-Core) to clarify that any Google service not specifically identified in the Google at U-M List of Services as a Core service, including Google extensions and add-ons, is considered Non-Core. Non-Core services are not covered by the university’s Google Apps for Education agreement and therefore may not be used to share or maintain any of the university’s sensitive data.

June 18, 2015: Removed the entry for Value Storage and replaced it with an entry for the new MiStorage with NFS service. Removed the entry for Mainstream Storage and replaced it with an entry for the new MiStorage with CIFS service.

June 17, 2015: In the Personal Accounts entry, added a link to the new Use of Personal Accounts and Data Security page on Safe Computing. This page provides additional information about personal accounts.

April 3, 2015: Added Canvas. Canvas is a cloud-based Learning Management System that provides a set of tools for teaching and learning allowing faculty to manage instructional workflows, communicate class requirements, share documents, manage assignments, assess student performance, distribute grades, support course collaboration and discussions.

March 2, 2015: Updated the statement of compliance for the UMHS Exchange/Outlook email system to reference the encrypted email service that UMHS is implementing today.

December 19, 2014: Added a note about the new mobile device management system that the U-M Health System is implementing to the Personally Owned Devices data type. Additionally, it is now permitted to use the Desktop Virtualization (VDI) service to share or store FISMA data with IIA consultation. 

November 13, 2014: Added a new link to the Box at U-M Core Apps data type. The link is to a new page that lists minimum requirements for using Box at U-M with sensitive university data: Using Box at U-M Securely with Sensitive Data.

November 12, 2014: Updated the Personal Acounts data type to indicate that Apple iCloud and Microsoft OneDrive are additional examples of personal accounts that may not be used to maintain or share sensitive university data.

October 8, 2014: Added the Echo 360 - Lecture Capture and LectureTools service. Echo 360 is integrated with CTools, and supports student interaction, information delivery, and lightweight assessment during class.  

August 19, 2014: U-M and Box have signed a Business Associate Agreement, which means Box at U-M can now be used to maintain Protected Health Information regulated by HIPAA. The Box at U-M information was updated to reflect this.

Added the new Google Classroom application to the page listing Google at U-M Core Apps. Classroom is a Google Core Service and is covered by the university’s Google Apps for Education agreement.

August 1, 2014: Added this compliance information to the Qualtrics service information at the request of U-M Health System Compliance: Sensitive data, including PHI, may be collected and stored in Qualtrics for non-clinical, academic purposes only (for example, research and hospital quality improvement initiatives). Qualtrics cannot be used for any clinical applications, no matter the sensitivity level of the data.

July 21, 2014: Added the Blue Jeans cloud-based videoconferencing service.

June 9, 2014: Added the Digital Signage service. Digital Signage is used in U-M buildings and public areas (such as bus stops) to provide valuable information to the U-M community. Additionally, the eResearch service was added. eResearch is a set of vendor-provided web-based applications customized for U-M that support business processes involved in research, such as grant proposals and conflict of interest management.

June 4, 2014: Updated the icons indicating which data types can be worked with from personally owned devices in accordance with Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33). Added a box and red text to call attention to the fact that people must have departmental approval to use their own devices to work with the data types listed here as permitted.

May 14, 2014: Updated the Personally Owned Devices data type with information about Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33). For now, updated the description of compliance to indicate that departments have begun making decisions regarding whether they will impose department-specific restrictions beyond those outlined in the policy.

March 17, 2014: M+Amazon Web Services (AWS) service was renamed M Cloud Amazon Web Services (AWS). M Cloud is the U-M offering of public cloud services to the University of Michigan (U-M) community.

February 25, 2014: Added the new Qualtrics service. Qualtrics Research Suite is a generalized survey service permitting the creation and distribution of surveys, as well as data storage and analysis.

February 17, 2014: Added the new M+Amazon Web Services (AWS) - GovCloud service. GovCloud is an instance of M+AWS that is compliant with Export Control regulations.

December 10, 2013: Added three new services:

  • Globus
  • M+Amazon Web Services (M+AWS)
  • MiVideo

Also added some examples to the FISMA entry.

October 2, 2013: Added the new MiShare service. MiShare is a file exchange service provided by Medical Center Information Technology (MCIT).

August 14, 2013: Added the new ServiceLink service. ServiceLink is used by the ITS Service Center and LSA IT to manage help requests from members of the university community.

July 15, 2013: CTools can now be used for Protected Health Information as long as you use the new CTools HIPAA-aligned site template.

May 8, 2013: Added the Flux service and Other Sensitive University Data.

March 28, 2013: Changed these services from "Not Permitted without IIA Approval" to "Permitted" for HIPAA data:

  • Desktop Virtualization (VDI)
  • Mainstream Storage
  • MiDatabase
  • MiServer
  • MiWorkspace
  • TSM Backup
  • Virtualization as a Service (VaaS)
  • Wolverine Access

These services include the safeguards required for maintaining HIPAA data. To fully satisfy HIPAA compliance, IIA is required to track Protected Health Information and will work with you to document your data sets and their location. (Contact IIA via the ITS Service Center.)

March 27, 2013

  • Added a service: Desktop Backup (Powered by CrashPlan)
  • Added a data type: Other University Sensitive Data
  • Added a link to the Sensitive Regulated Data: Permitted and Restricted Uses Standard