Protect Sensitive Data

Before requesting access to systems that maintain sensitive institutional data, U-M faculty, staff, and Michigan Medicine workforce members are asked to:

1. Complete an online course, DCE101 U-M Data Protection and Responsible Use (in My LINC).
2. Once the course is completed, they can submit an access request.

When people no longer have any affiliation to the university, they lose access to U-M standard computing services after a grace period. Departments and units are expected to initiate removal of administrative, elevated, and departmental access as part of the university's off-boarding process, whether the person leaves the university entirely or just leaves a role or job within it. For details, see

• Getting (and Losing) Access
• What Happens to Your Uniqname, Directory Profile, and Computing Services After You Leave U-M
• Online Access Request System (OARS): Unit Transfer Process for Unit Liaisons
• OARS: Employee Termination Procedure

Applicable laws, regulations, or U-M policies and standards govern specific forms of data (for example, health information, credit card data) and may apply to the care of your sensitive data. 

For specific information, refer to:

• Comply With Laws, Policies, and Regulations
• Information Security Laws and Regulations
• Information Technology Policies at U-M

Follow the Information Security Risk Management guidelines, including the RECON risk assessment process, to reduce the risks of storing and using sensitive data.

Learn how to protect sensitive data while traveling at Travel Safely With Technology.

You are responsible for adequately safeguarding sensitive institutional data when you work from home or away from campus, including telecommuting, and access U-M systems and applications—whether you are using a university-owned or personally owned device.

• Faculty and staff who work from home or away from campus are expected to comply with Responsible Use of Information Resources (SPG 601.07) and Security of Personally Owned Devices (SPG 601.33) where applicable.
• Individual units may define additional conditions, restrictions, or guidelines as long as they are consistent with the provisions of SPG 601.07.
• For guidance on securing your personally owned devices and home network, see:
  • Secure Your Personal Computer
  • Secure Your Home Wireless Connection
  • Secure Your Internet Connection/Connect Securely Off Campus

If you work with sensitive institutional data from your own devices or from self-managed devices (for example, devices purchased for research purposes with grant money that are not managed by your department's IT staff), you are expected to secure and properly manage them to protect that data. For details, see: Your Responsibilities for Protecting Sensitive Data When Using Your Own Devices.

Personal accounts are those you sign up for yourself for your own use. These are different from accounts that the university makes available to you and for which it has a contract with the vendor, such as Google.

See Use of Personal Accounts and Data Security for more information.

Some cloud services include features to securely protect sensitive data, and some don't. You may need to take additional precautions yourself to configure cloud services appropriately. Learn more at Safely Use the Cloud.

The Sensitive Data Guide is an interactive tool to assist faculty, staff, and researchers in making informed decisions about where to safely store and share sensitive data using IT services available on the UM-Ann Arbor campus. It is particularly important to be careful with cloud computing resources; see also Safely Use the Cloud.

See how your unit and ITS can work together to ensure HIPAA standards are maintained via ITS HIPAA-Aligned Services.

Be sure the equipment you are using to interact with sensitive data is being properly secured to work with it. See Manage Your Workstation.

If you are interacting with sensitive data on a personal device, you will also need to review:

• Your Responsibilities for Sensitive Data & Your Personal Devices
• Secure Your Personal Devices (Video)

When you are done with computers, other devices, hard drives, DVS, scanners, etc. that have interacted with sensitive data, you must take special care to dispose of them properly, since that data may still be recoverable. See Securely Dispose of U-M Data and Devices for instructions.

Immediate reporting of a suspected breach:

• gives security staff the best chance to mitigate any possible negative outcomes
• is a U-M policy: Information Security Incident Reporting (SPG 601.25)

See Report an IT Security Incident for details.

All requests for information under the Freedom of Information Act (FOIA) should be directed immediately to the university's FOIA Office.

U-M's Office of the General Counsel represents and advises the U-M community on legal matters.

Human Resource Records and Information Services (HRRIS) is the data steward of employment data for the university. It is responsible for developing and maintaining the university's human resource information system, maintaining faculty and staff records, providing information services to the university community and external agencies, and delivering customer support for benefits and other HR-related items. The HRRIS team is available for individual consultations with business and academic units.

The Michigan Medicine Compliance Office promotes compliance with all laws/regulations governing health care billing, coding, Medicare and Medicaid, patient privacy and information security, relationships and conflict of interest, and governmental investigations.

The Office of the Registrar provides help with and information about protecting student rights and records. This includes details about what information can and cannot be released. 

If you have a U-M research project for which the federal contract or award contains language or clauses requiring specific information security controls, you can send email to Research.Information.Security@umich.edu for help. Learn about U-M's Research Information Security Program.

The Treasurer's Office is responsible for Payment Card Industry (PCI) information at U-M. You must work with this office if you wish to accept credit card payments.