We continue to update the Sensitive Data Guide with information about new services and changes to where data may be shared and stored. Here is a record of updates:
February 27, 2019: Removed all mentions of Inbox by GMail from the Google Mail and Calendar at U-M entry. Google is discontinuing Inbox by Gmail as of the end of March 2019.
January 15, 2019: Updated the Personally Owned Devices (phone, tablet, laptop, etc.) entry to indicate that it includes Internet of Things devices.
December 12, 2018: In MiDatabase Compliance section, removed the direction to consult with IA before using this service for HIPAA data.
December 12, 2018: On the Turbo Research page, Compliance section, adjusted the definition of the data restriction to prohibit Restricted, High, or Moderate data storage on this service.
December 4, 2018: Updated listing for Azure to note that it is in review for use with HIPAA data but that such use is not permitted at this time.
October 18, 2018: Updated the service description and the compliance information in the Personal Accounts entry to better reflect the defining characteristic of such accounts—that there is no contract in place between the account provider and the university to protect sensitive information and meet regulatory compliance requirements.
September 10, 2018: Changed the "Imaging Services" service name to "Document Imaging System" because the name of the service changed.
August 13, 2018: Updated Qualtrics page based on feedback from Ben Havens in Michigan Medicine Corporate Compliance.
August 7, 2018: The now-retired standard DS-06 has been removed from the "Related" section of the sidebar.
May 15, 2018: Changed Federal Information Security Management Act (FISMA) Data to "Permitted with IA Consultation" with the Amazon Web Services GovCloud at U-M and Google Cloud Platform at U-M services.
April 30, 2018: Added a new sensitive data type: Controlled Unclassified Information (CUI). Also added a new service: Yottabyte Research Cloud. The Yottabyte Research Cloud is the only service permitted for use with CUI.
April 10, 2018: Added the Perusall service.
March 27, 2018: Changed two service names to make it clearer which services are actually included. Changed "Google Additional Services (Non-Core)" to "Google Non-Core Services." Changed "Google Sites, Talk/Hangouts, Groups, Tasks, Classroom at U-M" to " Google at U-M Core Services."
March 21, 2018: Updated the MiVideo entry to indicate that Cielo24 is covered by U-M's contract with Kaltura for the MiVideo service.
February 22, 2018: Added the data steward for each sensitive data type.
January 12, 2018: Updated to indicate that Desktop Backup (Powered by CrashPlan) is not permitted with Federal Information Security Management Act (FISMA) data.
January 8, 2018: Added the Electronic Research Notebook at U-M service.
December 6, 2017: Changed the page layours for this guide based on recommendations from students in a School of Information user experience class. The changes move the information that is used most frequently to the tops of the pages.
Also updated the PII and Social Security numbers pages to indicate that although SSN's are a type of PII, they have more stringent legal requirements.
September 19, 2017: Removed "M Cloud" from the two Amazon Web Services entries. ITS is no longer using that name. Also added a link to a new PCI Assurance page from the Credit Card or Payment Card Industry (PCI) Information entry.
June 12, 2017: Added the Gradescope service.
May 25, 2017: Added the Dedoose service.
May 19, 2017: Added the Piazza Q&A service.
April 20, 2017: Added a recommendation to the two M Cloud service entries to use a Center for Internet Security (CIS)-compliant image with Amazon EC2.
April 2017: Updated mentions of Information and Infrastructure Assurance (IIA) to Information Assurance (IA).
March 31, 2017: The name of the Desktop Virtualization (VDI) service has changed to MiDesktop. Updated the service name.
March 28, 2017: Added the SignNow (E-Signature) service.
February 2, 2017: Removed "Guidance provided here applies only to those on the U-M Ann Arbor campus" from the guide's home page. The guide is being expanded to provide guidance for all U-M campuses.
January 18, 2017: Desktop Virtualization (VDI) is not permitted for use with FISMA data. Updated the guide to reflect this. It formerly said this use was permitted with IIA consultation.
December 2, 2016: Updated the UMHS AirWatch information in the Personally Owned Devices (phone, tablet, laptop, etc.) entry.
November 16, 2016: Removed the "Virtualization as a Service (VaaS)" service entry; this service has been retired and is no longer available.
October 27, 2016: Personally Owned Devices (phone, tablet, laptop, etc.) page was updated with two new items under "Description of Compliance." One each for PCI data and for Export Controlled Data.
October 12, 2016: The Box at U-M Core Apps entry was updated to emphasize the need to use shared accounts, rather than individual accounts, for storing and sharing sensitive university data.
October 12, 2016: Removed the Sitemaker service entry because the service has been discontinued.
September 12, 2016: Removed the Sitemaker service entry because the service has been discontinued.
September 7, 2016: Updated the Google Mail and Calendar at U-M to include Inbox by GMail. Inbox by GMail is considered a Core Service and is covered by the university’s Google Apps for Education agreement.
August 16, 2016: Changed M+Box to Box at U-M and M+Google to Google at U-M to reflected changed naming and branding for those services.
July 29, 2016: Added to the Box at U-M Core Apps entry that it is highly recommended that people use a shared Box at U-M account that has been set up for sensitive data.
July 22, 2016: Updated the Private Personal Information (PPI) data type with some additional examples of PPI, including IP address, location, and more.
July 8, 2016: Renamed the Private Personal Information (PPI) data type. That data type is now named Personally Identifiable Information (PII).
July 5, 2016: Updated a link in the Social Security Numbers entry. The SSN policy in the U-M Standard Practice Guide has been retired and replaced with a new standard: Social Security Number Privacy and Protection (DS - 10).
June 22, 2016: Updated the description of Sensitive Identifiable Human Subject Research.
June 17, 2016: Removed a paragraph from the Box at U-M Core Apps entry about appropriate use of an option within Box at U-M to create Google Docs and other files using online Microsoft Office programs because this option is no longer available.
May 12, 2016: Added a new service entry for Imaging Services.
May 11, 2016: Updated the Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos service entry to reflect availability of using the CIFS protocol. the service name was changed toTurbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos or CIFS.
April 20, 2016: Removed the note about consulting with IIA to document data sets and locations for HIPAA data from the MiStorage (for Some Sensitive Data) with CIFS and Turbo Research Storage (for Some Sensitive Data) with NFSv4+Kerberos services.
March 17, 2016: Changed the name of the TSM backup service to MiBackup and updated the link to service information to reflect the service's new name and branding.
Februry 22, 2016: Updated the description of the Sensitive Identifiable Human Subject Research data type.
February 1, 2016: Added the Armis service. The Armis high performance computing cluster, in conjunction with Turbo Research Storage with NFSv4+Kerberos, provides a secure, scalable, high-performance, distributed computing environment that aligns with HIPAA privacy standards.
January 27, 2016: Updated the Box at U-M Core Apps entry to note that when you use the option within Box at U-M to create Microsoft Office or Google files or documents, you are using services outside of Box at U-M and must be aware that those other services have different sensitive data restrictions from Box at U-M.
January 14, 2016: Updated the names of the MiStorage with CIFS and Turbo Research Storage with NFSv4+Kerberos entries in the guide to indicate that they are intended for storage of some types of sensitive data (as opposed to the versions of those services that use other protocols).
November 11, 2015: Added the Statistics and Computation Service entry to provide guidance about appropriate use. The Statistics and Computation Service is not intended for storage of sensitive university data.
October 30, 2015: Updated the Blue Jeans Video Conferencing entry. U-M's agreement with Blue Jeans now includes a Business Associate Agreement. This means individuals may use this service to share Protected Health Information (PHI) regulated by HIPAA.
Added the Andrew File System (AFS) service to provide guidance about appropriate use. AFS is not intended for storage of sensitive university data.
June 26, 2015: Added a new entry for Cloud Storage Included with Software. Cloud-based storage that is provided as part of a user license or subscription (that is, storage that is tied to a named individual or group account) should not be used to maintain or share the university's sensitive data.
June 24, 2015: Revised the entry for Google at U-M Additional Services (Non-Core) to clarify that any Google service not specifically identified in the Google at U-M List of Services as a Core service, including Google extensions and add-ons, is considered Non-Core. Non-Core services are not covered by the university’s Google Apps for Education agreement and therefore may not be used to share or maintain any of the university’s sensitive data.
June 18, 2015: Removed the entry for Value Storage and replaced it with an entry for the new MiStorage with NFS service. Removed the entry for Mainstream Storage and replaced it with an entry for the new MiStorage with CIFS service.
June 17, 2015: In the Personal Accounts entry, added a link to the new Use of Personal Accounts and Data Security page on Safe Computing. This page provides additional information about personal accounts.
April 3, 2015: Added Canvas. Canvas is a cloud-based Learning Management System that provides a set of tools for teaching and learning allowing faculty to manage instructional workflows, communicate class requirements, share documents, manage assignments, assess student performance, distribute grades, support course collaboration and discussions.
March 2, 2015: Updated the statement of compliance for the UMHS Exchange/Outlook email system to reference the encrypted email service that UMHS is implementing today.
December 19, 2014: Added a note about the new mobile device management system that the U-M Health System is implementing to the Personally Owned Devices data type. Additionally, it is now permitted to use the Desktop Virtualization (VDI) service to share or store FISMA data with IIA consultation.
November 13, 2014: Added a new link to the Box at U-M Core Apps data type. The link is to a new page that lists minimum requirements for using Box at U-M with sensitive university data: Using Box at U-M Securely with Sensitive Data.
November 12, 2014: Updated the Personal Acounts data type to indicate that Apple iCloud and Microsoft OneDrive are additional examples of personal accounts that may not be used to maintain or share sensitive university data.
October 8, 2014: Added the Echo 360 - Lecture Capture and LectureTools service. Echo 360 is integrated with CTools, and supports student interaction, information delivery, and lightweight assessment during class.
August 19, 2014: U-M and Box have signed a Business Associate Agreement, which means Box at U-M can now be used to maintain Protected Health Information regulated by HIPAA. The Box at U-M information was updated to reflect this.
Added the new Google Classroom application to the page listing Google at U-M Core Apps. Classroom is a Google Core Service and is covered by the university’s Google Apps for Education agreement.
August 1, 2014: Added this compliance information to the Qualtrics service information at the request of U-M Health System Compliance: Sensitive data, including PHI, may be collected and stored in Qualtrics for non-clinical, academic purposes only (for example, research and hospital quality improvement initiatives). Qualtrics cannot be used for any clinical applications, no matter the sensitivity level of the data.
July 21, 2014: Added the Blue Jeans cloud-based videoconferencing service.
June 9, 2014: Added the Digital Signage service. Digital Signage is used in U-M buildings and public areas (such as bus stops) to provide valuable information to the U-M community. Additionally, the eResearch service was added. eResearch is a set of vendor-provided web-based applications customized for U-M that support business processes involved in research, such as grant proposals and conflict of interest management.
June 4, 2014: Updated the icons indicating which data types can be worked with from personally owned devices in accordance with Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33). Added a box and red text to call attention to the fact that people must have departmental approval to use their own devices to work with the data types listed here as permitted.
May 14, 2014: Updated the Personally Owned Devices data type with information about Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33). For now, updated the description of compliance to indicate that departments have begun making decisions regarding whether they will impose department-specific restrictions beyond those outlined in the policy.
March 17, 2014: M+Amazon Web Services (AWS) service was renamed M Cloud Amazon Web Services (AWS). M Cloud is the U-M offering of public cloud services to the University of Michigan (U-M) community.
February 25, 2014: Added the new Qualtrics service. Qualtrics Research Suite is a generalized survey service permitting the creation and distribution of surveys, as well as data storage and analysis.
February 17, 2014: Added the new M+Amazon Web Services (AWS) - GovCloud service. GovCloud is an instance of M+AWS that is compliant with Export Control regulations.
December 10, 2013: Added three new services:
- M+Amazon Web Services (M+AWS)
Also added some examples to the FISMA entry.
October 2, 2013: Added the new MiShare service. MiShare is a file exchange service provided by Medical Center Information Technology (MCIT).
August 14, 2013: Added the new ServiceLink service. ServiceLink is used by the ITS Service Center and LSA IT to manage help requests from members of the university community.
July 15, 2013: CTools can now be used for Protected Health Information as long as you use the new CTools HIPAA-aligned site template.
May 8, 2013: Added the Flux service and Other Sensitive University Data.
March 28, 2013: Changed these services from "Not Permitted without IIA Approval" to "Permitted" for HIPAA data:
- Desktop Virtualization (VDI)
- Mainstream Storage
- TSM Backup
- Virtualization as a Service (VaaS)
- Wolverine Access
These services include the safeguards required for maintaining HIPAA data. To fully satisfy HIPAA compliance, IIA is required to track Protected Health Information and will work with you to document your data sets and their location. (Contact IIA via the ITS Service Center.)
March 27, 2013
- Added a service: Desktop Backup (Powered by CrashPlan)
- Added a data type: Other University Sensitive Data
- Added a link to the Sensitive Regulated Data: Permitted and Restricted Uses Standard