All members of the U-M community share responsibility for safeguarding university resources and data, and complying with university policies and data protection laws and regulations.
Data security is an important consideration that should be taken into account early in a research project to allow researchers to properly prepare and budget for the implementation of security controls.
The Research IT Security toolkit provides resources to help U-M researchers navigate IT security compliance and ensure their research data is appropriately protected.
- Classifying Research Data
- Protecting Research Data
- Complying with Laws and Regulations
- Complying with University Policies
- Working with the IRB
- Working with Institutional Data
Classifying Research Data
Sensitive U-M data must be protected to prevent theft, unauthorized access, compromise, or inappropriate use. U-M has established data classification levels driven by legal, regulatory, academic, financial, and operational requirements.
Note that classification levels may be different for similar types of data. For example, Sensitive Identifiable Human Subject Research data is "High", de-identified Human Subject Research data is "Moderate", and other unpublished research is "Moderate", unless specifically classified as "Low" by the researcher.
It is important for researchers to understand the classification of their research data in order to determine security requirements for protecting the data.
Protecting Research Data
It is the responsibility of all U-M faculty, staff, and students to use appropriate tools and technologies to secure data and protect U-M digital assets. Below are tools and services that can help you protect research data:
- Security Requirements: considering the classification level of your research data, use the catalog of minimum security requirements to determine appropriate data protection mechanisms.
- Sensitive Data Guide: use the Sensitive Data Guide to IT Services to make informed security and compliance decisions when selecting tools for collecting, processing, storing, or sharing research data.
- Advanced Research Computing (ARC): explore the ARC catalog of cloud, data science, high performance computing, and storage services designed for U-M researchers.
Complying with Laws and Regulations
U-M and its community members must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards.
ITS Information Assurance maintains a list of information security laws and regulations and provides additional information and guidance. Review the laws and regulations relevant to your research data and take action to ensure compliance.
Complying with University Policies
University policies and supporting standards are established to govern the access, release, and use of university information resources. U-M faculty and staff who have access to university information resources have a responsibility to handle them appropriately and in accordance with university policies. Refer to the University of Michigan Statement on Stewardship for specific information on the fundamental responsibilities of a steward of information resources.
Policies related to the appropriate and secure handling of U-M information resources include:
- SPG 601.07: Responsible Use of Information Resources
- SPG 601.11: Privacy and the Need to Monitor and Access Records
- SPG 601.27: Information Security
If you have questions regarding compliance with these policies, contact ITS Information Assurance through the ITS Service Center.
Working with the IRB
The IRB Health Sciences and Behavioral Sciences reviews and oversees research to ensure it meets ethical principles and complies with federal regulations, state laws, and university policies. Researchers at U-M are responsible for following the U-M Research and Sponsored Projects Policies and Procedures.
For Information Assurance consultation with the IRB, contact ITS Information Assurance through the ITS Service Center.
Working with Institutional Data
Institutional data at the University of Michigan is defined and managed in accordance with SPG 601.12: Institutional Data Resource Management Policy. The U-M data governance framework provides the structure, processes, and practices that enable the management of institutional data.
When researchers need access to institutional data, they need to work with the U-M data stewards, who govern the management of, access to, and accountability for data in their area of responsibility.