Guidelines for Storage of University Electronic Data

The following grid outlines appropriate storage services and locations for University electronic data based on the Campus Data Security Policy (IT6007) and the UofM Data Classification Document. The locations or services included in the grid are accessible by end-users with the primary functions of storing, sharing, or transmitting data.

Social Security Numbers (SSNs) should not be stored in any medium listed below regardless of the data classification or intended use.

Pursuant to the Payment Card Industry (PCI) Compliance Policy (BF4023), "Cardholder data may not be stored in any University system, server, personal computer, e-mail account, portable electronic device (laptop, flash drive, CD/DVD, PDA, cell-phone, tablet, portable hard-drive, etc.) or on paper documents." Therefore, storage of PCI data is not referenced in this document.

For locations marked with a 'Yes', it is assumed that appropriate Access Controls have been enabled and reviewed to ensure that access to data is limited to appropriate individuals. Additional consultation with University Data Stewards may be necessary in order to store data in some locations.

A table of storage services allowed based on data type:

data storage locations

  1. Data can be stored in this location provided that it uses an encryption mechanism appropriate for the type of data being stored. 
  2. Data can be stored in this location after additional review by the University's Director of IT Security.