"Protected" and "sensitive" information

In the United States, personal information is protected by many different federal and state laws, and by regulations that derive from those laws.  The particular ones that apply depend on the kind of information, and on how and by whom the information is being collected, used or disclosed.

Personal information handling may also be addressed by private organizations' certification requirements (such as those of JCAHO).  It is almost always covered by an organization's internal policies, which combine the requirements of the various government and private bodies as well as the organization's own views about what should be protected. 

In other words, it's complex, and this page can only summarize.  If you have questions about the particular protections that apply to information you collect, use or disclose, contact the appropriate UM department (see links below) or your organization's designated legal counsel. 

If you're not sure whom to approach at UM, contact the Office of the General Counsel.

Sensitive vs. protected

It is common to refer to "sensitive" information, but this is not a legal distinction.  Some kinds of information that you probably would not think to be sensitive -- something as simple as a person's name or address -- may be subject to legal-regulatory protections depending on the context. 

Still, it is useful to leverage your common sense when it comes to protecting information.  Even if you don't memorize all the various public and private protections that apply to data, you probably have a good sense of when something is likely to be "sensitive."  And if it is sensitive, it is likely to be protected by laws, regulations, certification requirements, or UM policies.

Identified vs. identifiable

Protections obviously extend to persons' identified information -- where some explicit, direct "identifier" data, like a full legal name or social security number, is part of the information collection.   

Identifiable information is usually considered protected as well.  That is, where identification of the individual is likely, or at least reasonably possible, given other in-direct identifiers.  For example, a record with age, gender and nine-digit zip code might easily be matched to a particular person.

It's fairly easy to spot identified data, but what is identifiable may require a statistician's analysis.  You usually cannot make a determination on your own that data is truly "de-identified."

Health information

HIPAA is the principal federal law protecting health information.  Regulations mandated by HIPAA protect "anything related to the past, present or future physical or mental health condition of a person."  While some parts of HIPAA reach only to health information in "electronic" form, its privacy protections extend to health information in "any form or medium."

Florida statutes also protect health information  -- and, where stricter than HIPAA's protections, these remain in effect.  Florida statutes protect all data in "medical records," with special protections for certain kinds of information (e.g., genetic information, HIV status).

JCAHO certification requirements also include components related to the privacy and security of health information.

If you have questions regarding policies for collection, use or disclosure of patients' health information at UM, contact the Office of HIPAA Privacy and Security.  For compliance-specific issues, including JCAHO issues, contact the appropriate representative of the Office of Compliance.

Education information

FERPA is the principal federal law here.  It protects "records, files, documents, and other materials" that "contain information directly related to a student" when held by a federally-funded educational institution or by someone who works for one.  (Almost every postsecondary institution is federally funded, including UM.)

Florida statutes address the rights of students and their parents with respect to education records created, maintained or used by public institutions in the state, but do not reach to private institutions like UM.

If you have questions regarding handling of students' educational records, contact the UM Office of the Registrar

Research information

Research with human subjects is governed by federal, state, and local laws, as well as by institutional policy, as is information collected, used or disclosed in research contexts.   

Federal "Common Rule" (45 CFR 46) protections mandate that invasions of privacy and breaches of confidentiality are among the risks that researchers must address and manage appropriately.  So do analogous protections of the FDA (21 CFR 11).

Health information collected, used or disclosed for research purposes is also subject to HIPAA protections.

If you have questions regarding research subjects' records, contact the Human Subjects Research Office.

Financial information

The principal federal law is FSMA (a.k.a. GLBA), but it applies mainly to financial institutions (brokerage houses, banks, credit card issuers) and insurance companies.  It protects information related to obtaining financial products and services.

In a university context, this relates primarily to data regarding student loans, income tax information from a student's parent(s) pursuant to a financial aid package, and other miscellaneous financial services. 

Credit card information is subject to the certification requirements of the Payment Card Industry (PCI) Data Security Standard.

If you have any questions regarding GLBA compliance, send email to GLBA@miami.edu.  For questions about PCI compliance, contact Medical Information Technology's Information Security group.

Employment information

There are relatively few legal protections for employees with respect to information held by a private employer.  (Employees of public agencies in Florida have much, but not all, of their employment data exempted from the state's "Sunshine" public records access provisions.)  

Even so, most employers consider their employment records as among the most sensitive they keep.

An employer that also provides health or education services to an employee is bound by the laws governing those kinds of information.  (UM does both.)  As part of those protections, the employer must keep such information "firewalled" away from regular employment records. 

If you have questions regarding UM employees' personnel records, contact Gables Human Resources or Medical Human Resources.

"Identity" information

In the past few years dozen of bills have been introduced in Congress to protect consumers from identity theft.  The proposed laws vary in their details, but would generally require greater security for all personal data held by organizations, and require disclosure of any data security breach presenting a significant risk of identity theft

Many states are considering similar laws.  Florida passed one in 2005 (FL Stat 817.5681) that provides for required notice in the event of a data exposure.

The risk of identity theft increases with the loss of any personal data.  It doesn't require a social security or bank account number;  even something as simple as a postal address and telephone contact number can present a threat if combined with other data.  So the potential reach of such legislation is very broad.

Your personal information

The organization for which you work obviously expects you to take appropriate steps to protect the sensitive information under your control.  That means being conversant with -- and following -- the basic steps for computer security at work.

Don't forget that your home computer may contain data about you that presents a risk if inappropriately accessed.  Make sure you take the same steps to promote computer security at home.  If you use a portable computing device, see computer security on the move.

Learn more

Electronic Privacy Information Center (EPIC)
Extensive resources on all aspects of privacy

Privacy International (PI)
Extensive coverage of privacy issues worldwide

privacy.org
Daily news updates and information  on privacy issues, a joint project of EPIC and PI

Privacy Rights Clearinghouse
Information focused on protecting consumer privacy