Guidelines for Storage and Transmission of University Electronic Data
All University data must be stored and transmitted appropriately according to the Campus Data Security Policy (IT6007) and the UofM Data Classification Document. The locations or services included in the table below are accessible by end-users with the primary functions of storing, sharing, or transmitting data.
Social Security Numbers (SSNs) should not be stored or transmitted in any medium listed below regardless of the data classification or intended use.
Pursuant to the Payment Card Industry (PCI) Compliance Policy (BF4023), "Cardholder data may not be stored in any University system, server, personal computer, e-mail account, portable electronic device (laptop, flash drive, CD/DVD, PDA, cell-phone, tablet, portable hard-drive, etc.) or on paper documents." Therefore, storage of PCI data is not referenced in this document.
For locations marked with a 'Yes', it is assumed that appropriate Access Controls have been enabled and reviewed to ensure that access to data is limited to appropriate individuals. Additional consultation with University Data Stewards may be necessary in order to store data in some locations.
A table of storage services allowed based on data type:
| Restricted Data | Internal / Limited Access Data | Public Data | ||||
| Definition | Data protected by federal or state law or regulations, or by contract. Restricted University data includes, but is not limited to, data that is protected by the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), the Gramm-Leach Bliley Act (GLBA) or Controlled Unclassified Information (CUI) as identified in a law, regulation, or government policy. | Data that would not expose the University to loss if disclosed, but should be protected. Internal/Limited access University data includes, but is not limited to, operational data likely to be distributed across organizational units within the University. | Data available within the University community and to the general public. | |||
| Risk | High | Medium | Low | |||
| Access | Individuals designated with approved access. | UoM employees and non-employees with a business "need to know" | UoM affiliates and general public with a "need to know" | |||
| Restricted Data Categories | ||||||
| Data Storage Service/Location | FERPA | HIPAA | GLBA | Other | Internal / Limited Access Data | Public Data |
| UMmail Email | No | No | No | No | Yes | Yes |
| ITNAS File Storage | Yes | No | Yes | Yes1 | Yes | Yes |
| Teams/OneDrive | Yes | Yes | Yes | Yes1 | Yes | Yes |
| umWiki | No | No | No | No | Yes | Yes |
| ITS-Managed Server | Yes | Yes1 | Yes | Yes1 | Yes | Yes |
| Removable Storage | Yes1 | Yes1 | Yes1 | Yes1 | Yes | Yes |
| Local PC | Yes1 | Yes1 | Yes1 | Yes1 | Yes | Yes |
| Mobile Device | Yes1 | Yes1 | Yes1 | Yes1 | Yes | Yes |
| Non-ITS-Managed Cloud service | No | No | No | Yes1,2 | Yes | Yes |
| Data Transmission | FERPA | HIPAA | GLBA | Other | Internal / Limited Access Data | Public Data |
| UMmail Email | No | No | No | No | Yes | Yes |
| Teams/OneDrive | Yes | Yes | Yes | Yes1 | Yes | Yes |
| ITS-Managed Server | Yes | Yes1 | Yes | Yes1 | Yes | Yes |
| Removable Storage | Yes1,2 | Yes1,2 | Yes1,2 | Yes1,2 | Yes | Yes |
| Non-ITS-Managed Cloud service | No | No | No | Yes1,2 | Yes | Yes |
- This service or location can be used to store or transmit data provided that it uses an encryption mechanism appropriate for the type of data in question.
- This service or location can be used to store or transmit data after additional review by the University’s Director of IT Security.