Personally Identifiable Information (PII)

Data Classification Level: Moderate

Key: Permission Levels

  • Permitted
  • Permitted with Information Assurance (IA) Consultation
  • Not Permitted

For IA consultation, please contact the ITS Service Center

Protecting sensitive data is a shared responsibility. You are responsible for ensuring that your use of permitted services complies with laws, regulations, and policies where applicable.

Permitted

Not Permitted

Data Type Description 

Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. PII should be accessed only on a strictly need-to-know basis and handled and stored with care.

PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive. Note that UMID numbers by themselves are not considered sensitive or personally identifiable information. While Social Security numbers are a type of PII, the legal requirements for protecting them are much more stringent than for other PII.

University policies, contractual obligations, and information security laws and regulations require appropriate protection of PII that is not publicly available.  These regulations apply to PII stored or transmitted via any type of media: electronic, paper, microfiche, and even verbal communication.

PII does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Data Stewards: Human Resources, Information Assurance

Examples 

For Everyone at U-M:

  • National ID number
  • Passport number
  • Visa permit number
  • Driver's license number
  • Bank and credit/debit card numbers
  • Disability status
  • Ethnicity
  • Gender
  • The location of an individual at a particular time
  • Web sites visited 
  • Materials downloaded
  • Any other information reflecting preferences and behaviors of an individual 
  • Internet Protocol (IP) address (source and destination) in conjunction with other PII. IP address may identify an individual originating a transaction as well as the recipient.
  • Photos

For Employees:

  • Biographic/demographic data
    • Date and location of birth
    • Country of citizenship
    • Citizenship status
    • Marital status
    • Military status
  • Criminal record
  • Home address
  • Grievance information
  • Disciplinary records
  • Leave-of-absence reason
  • Payroll and benefits information
  • Health information (There are additional restrictions on where Protected Health Information can be stored and shared.

For Students:

For Donors:

  • Biographic/demographic data
  • Contact information
  • Prospect data
  • Gift and gift-planning data

Laws/Regulations/Policies 

Comply With Laws, Policies & Regulations
Institutional Data Resource Management Policy (SPG 601.12)

Additional Resources 

DHS Handbook for Safeguarding Sensitive Personally Identifiable Information
UMIDs Associated with Names Require Additional Protection
Andrew File System (AFS): 
Not Permitted
Canvas: 
Permitted
Cloud Storage Included with Software: 
Not Permitted
Data Warehouse: 
Permitted
Desktop Backup (Powered by Code42): 
Permitted
MiDesktop: 
Permitted
Digital Signage: 
Not Permitted
Echo360 - Lecture Capture and LectureTools: 
Not Permitted
eResearch: 
Permitted
Globus: 
Permitted
Amazon Web Services GovCloud at U-M: 
Permitted
Amazon Web Services (AWS) at U-M: 
Permitted
Google Non-Core Services: 
Not Permitted
Google Drive at U-M: 
Permitted
Google Mail and Calendar at U-M: 
Permitted
Google at U-M Core Services: 
Permitted
MiDatabase: 
Permitted
MiServer: 
Permitted
MiShare: 
Permitted
MiStorage CIFS with AWS S3 Cloud Storage Integration: 
Permitted
MiStorage (NFS): 
Not Permitted
MiVideo: 
Permitted
MiWorkspace: 
Permitted
Personal Accounts: 
Not Permitted
Personally Owned Devices (phone, tablet, laptop, etc.): 
Permitted
Qualtrics: 
Permitted
ServiceNow at Michigan Medicine: 
Permitted
MiBackup: 
Permitted
Turbo Research Storage: 
Permitted
Michigan Medicine Exchange/Outlook Email and Calendar: 
Permitted
Document Imaging System: 
Permitted
E-signature Service - SignNow: 
Permitted
Piazza Q&A: 
Not Permitted
Gradescope: 
Not Permitted
Electronic Research Notebook at U-M: 
Permitted
Microsoft Azure at U-M: 
Permitted
Google Cloud Platform (GCP) at U-M: 
Permitted
Perusall: 
Not Permitted
Secure Enclave Service (formerly Yottabyte Research Cloud): 
Permitted
Microsoft Office 365 at U-M: 
Not Permitted
Armis2: 
Permitted
Great Lakes Cluster: 
Permitted
Adobe Cloud Storage: 
Not Permitted
Zoom at U-M: 
Permitted
TeamDynamix at U-M: 
Permitted
Dropbox at U-M: 
Permitted
Virtru at U-M: 
Permitted
Microsoft Teams at U-M: 
Not Permitted
Denodo at U-M: 
Permitted
Slack at U-M: 
Permitted
Microsoft 365 at Michigan Medicine: 
Permitted
Lighthouse HPC Cluster: 
Permitted
MyDataHelps: 
Permitted
REDCap MICHR Academic License: 
Permitted
GitHub Enterprise SaaS: 
Permitted
Data Den Research Archive: 
Permitted
Locker Large-File Storage: 
Permitted