U-M has an obligation to ensure privacy and proper handling of personal identification numbers—including UMIDs—and to protect them against inappropriate access and use.
UMIDs Are Sensitive Data
UMIDs are used to identify, track, and service individuals across all institutional electronic and paper data systems, applications, and business processes throughout the span of an individual’s association with the university.
UMIDs are considered personally identifiable information (PII) and are to be used only for appropriate business purposes in support of university operations. Specifically, the data classification levels for UMIDs are:
- UMID not associated with name: Classified as Low
- UMID associated with name: Classified as Moderate and should be handled in a manner similar to data protected by FERPA.
Members of the university community are required to employ reasonable and appropriate administrative, technical, and physical safeguards to protect the integrity, confidentiality, and availability of UMIDs they handle, store, and/or transmit, particularly UMIDs that are associated with people's names.
- Controls must be put in place that limit access to files, databases, and information systems that contain UMIDs to properly authorized individuals.
- Any document, file, or database that contains UMIDs associated with names in print or electronic form is to be disposed of in a secure manner.
- UMIDs associated with names should not be viewable or displayed in a public setting. Grades and other student-related or employee-related pieces of personal information should not be publicly posted or publicly displayed in a manner where either the UMID or Social Security number, including the last four digits, identifies the individual associated with the information.
Example: A sign-in sheet at a counter can ask for an individual’s name or UMID but not both. The staff member at the counter can ask for an individual’s UMID for proof of identity purposes.