Guidelines for Storage of University Electronic Data

The following grid outlines appropriate storage services and locations for University electronic data based on the Campus Data Security Policy (UM1691) and the UofM Data Classification Document. The locations or services included in the grid are accessible by end-users with the primary functions of storing, sharing, or transmitting data.

Social Security Numbers (SSNs) should not be stored in any medium listed below regardless of the data classification or intended use.

Pursuant to the Payment Card Industry (PCI) Compliance Policy (UM1762), "Cardholder data may not be stored in any University system, server, personal computer, e-mail account, portable electronic device (laptop, flash drive, CD/DVD, PDA, cell-phone, tablet, portable hard-drive, etc.) or on paper documents." Therefore, storage of PCI data is not referenced in this document.

For locations marked with a 'Yes', it is assumed that appropriate Access Controls have been enabled and reviewed to ensure that access to data is limited to appropriate individuals. Additional consultation with University Data Stewards may be necessary in order to store data in some locations.

  Restricted Data     Internal / Limited Access Data                   Public Data              

Definition

Data protected by federal or state law or regulations, or by contract. Restricted University data includes, but is not limited to, data that is protected by the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), or the Gramm-Leach Bliley Act (GLBA).

Data that would not expose the University to loss if disclosed, but should be protected. Internal/Limited access University data includes, but is not limited to, operational data likely to be distributed across organizational units within the University.

Data available within the University community and to the general public.

Risk

High

Medium

Low

Access

Individuals designated with approved access.

UoM employees and non-employees with a business “need to know”

UoM affiliates and general public with a “need to know”

 

Restricted Data Categories

 

Data Storage Service / Location

FERPA

HIPAA

GLBA

Other

 

umMail Email

No

No

No

No

Yes

Yes

umDrive File Storage

Yes

No

Yes

Yes1

Yes

Yes

ITNAS File Storage

Yes

No

Yes

Yes1

Yes

Yes

OneDrive for Business

Yes

No

Yes

Yes1

Yes

Yes

umWiki

Yes

No

Yes

Yes1

Yes

Yes

ITS-Managed Server

Yes

Yes1

Yes

Yes1

Yes

Yes

Removable Storage

Yes1

Yes1

Yes1

Yes1

Yes

Yes

Local PC

Yes1

Yes1

Yes1

Yes1

Yes

Yes

Mobile Device

Yes1

Yes1

Yes1

Yes1

Yes

Yes

Non-ITS-Managed Cloud Service

No

No

No

Yes1,2

Yes

Yes

 

  1. Data can be stored in this location provided that it uses an encryption mechanism appropriate for the type of data being stored. 
  2. Data can be stored in this location after additional review by the University's Director of IT Security.