You and the university must comply with data protection and privacy requirements specified by federal and state laws, regulations, and industry standards. In some cases, there are additional requirements based on the U-M data classification level of the data you are working with (see the Sensitive Data Guide).
Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is federal non-classified information that requires safeguarding compliant with the security controls delineated in NIST SP 800-171r2 or NSIT SP 800-53 R5 depending on specific contractual terms. The CUI program is a government-wide approach to creating a uniform set of requirements and information security controls directed at securing sensitive government information. The NIST document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. CUI requirements apply to U-M researchers when they are given access to CUI information under the terms of a FAR or DFARS contract or other agreement.
Federal Acquisition Regulations (FAR) Basic Safeguarding (52.204-21) and
Defense Federal Acquisition Regulation Supplement (DFARS) (252.204-7020)
The principal purpose of federal contracts awarded to U-M is to provide services or conduct research for the direct benefit or use of the U.S. government. Federal contracts are awarded under the federal government’s procurement process and are governed by a strict set of terms and conditions, including information security requirements in FARS and DFARS (contracts with the Department of Defense). The level of stringency of Information security and data protection controls depends on the specific category and subcategory of the controlled unclassified information (CUI) as identified in the CUI Registry and as required under FAR and DFAR clauses in contracts. FAR and DFAR clauses do not generally apply to federal grants.
U-M Resources
- Research Ethics & Compliance: Controlled Unclassified Information
- Sensitive Data Guide Listing: Controlled Unclassified Information
- External Funding and Information Security Requirements
Data Steward
U-M Office of Research (UMOR) Research Information Oversight Program: [email protected]
Digital Millennium Copyright Act (DMCA) and Higher Education Opportunity Act (HEOA)
The Digital Millennium Copyright Act of 1998 (DMCA) and the Higher Education Opportunity Act (HEOA) of 2008 require that U-M manage a digital copyright compliance program that consists of four components:
- Annual disclosure/education and awareness
- A strategy for effectively combating the distribution of unauthorized copyrighted materials
- Provision of alternative sources for authorized copies of copyrighted materials
- Strategic plan review
U-M Resources
Data Examples
The following data and activities are subject to digital copyright compliance regulations:
- Third-party content shared through social media sites, such as YouTube, or peer-to-peer (P2P) file sharing technology, such as BitTorrent
- Making copies of copyrighted works available or acquiring unauthorized copies of copyrighted works
Data Steward
DMCA Agent for the University of Michigan: [email protected]
Export Control (ITAR/EAR/OFAC)
Export controlled research falls under several regulations, including:
- International Traffic in Arms Regulation (ITAR, Department of State)
- Export Administration Regulations (EAR, Department of Commerce)
- Office of Foreign Assets Control (OFAC, Department of Treasury).
Export controlled research includes information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation.
Non-U.S. citizens are not allowed to work on this type of project, and this kind of data cannot be stored on systems outside the United States.
U-M Resources
- Sensitive Data Guide Listing: Export Controlled Research (includes data examples)
- U-M Research Ethics & Compliance - Export Controls
Data Steward
U-M Research Ethics and Compliance, Export Control Officer: [email protected]
Family Educational Rights and Privacy Act (FERPA)
Student education records contain information directly related to a student and are maintained by the University of Michigan or by an educational agency or institution. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records.
U-M Resources
- Sensitive Data Guide Listing: FERPA (includes data examples)
- U-M Student Rights and Student Records
- Compliance@U-M/Privacy and Confidentiality
- Compliance education: Student Records
- RO100 FERPA at U-M (eLearning course in My LINC).
Data Steward
University Registrar: [email protected]
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for IT systems and store certain data on servers located in the U.S. FISMA applies generally to federal contracts as opposed to grants.
U-M Resources
Data Steward
Michigan Medicine Corporate Compliance: [email protected]
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) affects organizations worldwide, including universities. The GDPR is the primary law regulating how companies and organizations protect the personal data of people located in the European Union (EU).
U-M Resources
- General Data Protection Regulation (GDPR) Compliance
- General Data Protection Regulation (GDPR) Toolkit
Data Examples
- Any information that relates to the identity of an individual located in the European Union
- Different pieces of information, which collected together can lead to the identification of a particular person located in the European Union
Contact Information
- U-M Privacy Office: [email protected]
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) includes provisions to protect personal financial information held by financial and higher education institutions.
Departments that run their own student financial aid programs may need to be concerned about GLBA.
U-M Resources
- Sensitive Data Guide Listing: GLBA (includes data examples)
- GLBA Compliance: U-M Financial Services Information Security Plan
- U-M Student Financial Services
- Compliance@U-M/Privacy and Confidentiality
Data Steward
Director, Student Financial Services: [email protected]
External Resources
Health Insurance Portability and Accountability Act (HIPAA)
Protected Health Information (PHI) is regulated by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes privacy and security rules that govern how PHI is collected, disclosed, and secured. The HIPAA privacy and security rules and requirements were developed to ensure data availability and integrity, while limiting access to PHI to only authorized people.
HIPAA privacy and security rules apply only to covered entities in their role as a health care provider, health plan, or health care clearinghouse. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.
U-M Resources
- Sensitive Data Guide Listing: Protected Health Information (includes data examples)
- Michigan Medicine Compliance Program
- Compliance@U-M/Health Information Privacy & Security
- Using ITS HIPAA-Aligned Services
Data Steward
Michigan Medicine Corporate Compliance: [email protected]
External Resources
Payment Card Industry Data Security Standard (PCI DSS)
Guidelines for handling credit card information are defined by the Payment Card Industry Data Security Standard (PCI DSS). The University of Michigan Treasurer's Office specifically states: "Departments are not allowed to store electronically cardholder data on any university system. This includes, but is not limited to, computers, servers, laptops, and flash drives." If transaction records are needed, use only the last 4 digits of the number of the card.
U-M Resources
- Sensitive Data Guide Listing: Credit Card or Payment Card Industry (PCI) Information (includes data examples)
- Using PCI-Compliant Services: What U-M Merchants Need to Know
- U-M Merchant Services
Data Steward
University Treasurer: [email protected]
External Resources
Protection of Human Subjects (Common Rule)
A human subject is a living individual about whom an investigator (whether faculty member, research scientist or associate, or student) conducting research obtains data through intervention or interaction with the individual or when identifiable private information is obtained. A human subject's personally identifiable data is sensitive if it would pose increased social/reputational, legal, employability, or insurability risk to the subject if disclosed. Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered to be sensitive.
Sensitive Identifiable Human Subject Research falls under the Protection of Human Subjects (Common Rule) as defined by 45 CFR 46.101(b)(2), which distinguishes regulated research from a category of exempt research using the following language: "Information obtain is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation."
U-M Resources
- Sensitive Data Guide Listing: Sensitive Identifiable Human Subject Research (includes data examples)
- U-M Human Research Protection Program (HRPP)
- Data Security Guidelines (Research Ethics & Compliance)
Data Steward
U-M Research Ethics and Compliance, Human Research Protection Program (HRPP): [email protected]
External Resources
Red Flags Rule for Identity Theft Prevention
The Red Flags Rule requires businesses that loan customers money, accept payments, or use credit reports to have methods in place to detect and prevent identity theft. The university complies with this Federal Trade Commission requirement through the U-M Identity Theft Prevention Program.
U-M Resources
Data Examples
These are examples of "red flags" that identify theft may have occured:
- A fraud or active duty alert is included with a consumer report
- Documents provided for identification appear to have been altered or forged
- Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor
- The Social Security number provided is the same as that submitted by other persons opening an account or other customers
- Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account
Data Steward
Director, Student Financial Services: [email protected]
Social Security Number Privacy Act
While Social Security numbers are a type of Personally Identifiable Information (PII), the legal requirements of the Michigan Social Security Number Privacy Act for protecting them are much more stringent than for other PII.
Social Security numbers are unique, nine-digit numbers issued to U.S. citizens, permanent residents, and temporary (working) residents for taxation, Social Security benefits, and other purposes. Social Security numbers are a primary target for identity thieves. U-M has not used Social Security numbers as identifiers for students and employees since 2004.
U-M Resources
- Sensitive Data Guide Listing: Social Security Numbers (includes data examples)
- U-M Social Security Number Privacy and Protection Standard (DS-10)
Data Steward
HR Records & Information Services
External Resources
- Michigan Identity Theft Protection Act, MCL 445.63 (applies to personally identifiable information in addition to Social Security numbers)