Data Access Compliance and Storage Policy - Non-Employee

In certain circumstances, the Alumni Association of the University of Michigan (AAUM) sees fit to provide non-employees with institutional data regarding alumni and students of the University of Michigan (U-M) in order to support AAUM’s and U-M’s alumni relations efforts. There are several important University, state, and federal regulations applicable to personal data (including alumni and student data) and this Policy is intended to protect such data to the fullest extent of the law while also allowing authorized non-employees to utilize the data for permissible purposes. In order for nonemployees to receive access to alumni and student data from AAUM, they must review and certify their intent to comply with the Policy outlined herein regarding the permissible use of such data as well as the potential consequence of misuse.

Definitions

1. “U-M” refers to the University of Michigan.
2. “AAUM” refers to the Alumni Association of the University of Michigan.
3. An “Affiliated Organization” refers to an organization that acts on behalf of AAUM by furthering the alumni relations efforts of AAUM and U-M, including but not limited to AAUM’s regional clubs.
4. A “non-employee” refers to an individual who is not employed by AAUM or U-M, including but not limited to a volunteer of an Affiliated Organizations and an independent contractor retained by AAUM.
5. “U-M alumni” includes all former U-M students (living or dead).
6. “Institutional Data” refers to all data owned by U-M pertaining to U-M alumni and current students, including but not limited to an individual’s name(s), contact information (e.g., residential and business addresses, telephone numbers, email addresses), degree information, and gift history. Any and all data and information pertaining to U-M alumni and students provided by AAUM to a non-employee shall be considered Institutional Data. 

Conditions of Access to and Use of Institutional Data

1. Permissible Use of Data: Non-employees shall not access, utilize, disclose, or distribute Institutional Data except (a) for a purpose directly serving a function of AAUM and U-M, or (b) as otherwise required by law. AAUM has the sole and final authority regarding whether a nonemployee’s use or intended use of Institutional Data serves a proper function of AAUM or U-M.
2. General Requirements for Accessing and Using Data: Non-employees shall not access, utilize, release, or distribute Institutional Data unless they have reviewed and comply with the provisions contained in the following sources:  a. “Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan” (U-M SPG 601.07);  b. “Use and Release of Donor and Alumni Information” (U-M SPG 602.05); and   c. any other sources, as requested of a non-employee by AAUM in the future.
3. Requirements for Accessing and Using Data on Personal Devices: Non-employees shall not access Institutional Data from personal devices unless they have reviewed and comply with the provisions and instructions contained in the following sources, including securing their personal devices as set forth therein:
   1. “Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data” (U-M SPG 601.33);
   2. “Using Your Devices Securely with U-M Data” (http://safecomputing.umich.edu/protectpersonal/devices); and
   3. “Instructions for Securing Your Devices and Data” (https://safecomputing.umich.edu/protect-yourself/secure-your-devices).
4. Requests to Non-Employee for Data: Non-employees shall not disclose or distribute Institutional Data to any person or entity without first obtaining written permission from AAUM. To the extent Institutional Data is requested by anyone other than AAUM, the non-employee shall promptly notify AAUM in writing of such request, in which case AAUM shall be vested with sole discretion of how to respond to such request. Notice of requests from a law enforcement agency or a court (e.g., a court order, subpoena, FOIA request) should be provided in writing as soon as practicable to Angila Chapman, Chief Financial Officer, The Alumni Association of the University of Michigan, 200 Fletcher St., Ann Arbor, MI 48109 or via email at jsigler@umich.edu.
5. Ownership of Data: U-M retains ownership of all Institution Data provided to or accessed by a non-employee. Non-employees shall promptly return or destroy all Institutional Data (including all copies and versions thereof), in whatever form maintained, either (a) once the purpose or activity for which the Alumni Information was provided to the non-employee has been completed, or (b) at the request of AAUM (for any reason AAUM deems necessary), whichever occurs first.
6. Breach of Institutional Data: If a non-employee becomes aware of any inappropriate use, disclosure, or breach of Institutional Data (e.g., a password or account accessing Institutional Data is compromised; unauthorized access, theft, or loss of personal device used to access Institutional data), the non-employee must report the incident within 24 hours to AAUM at 734-615-9708 or m.alumni@umich.edu. The non-employee must also allow U-M or AAUM to inspect the device in the course of any incident investigation.
7. Noncompliance: Failure to comply with this Policy may result in denial of future access to Institutional Data by the non-employee and, potentially, the non-employee’s organization.

By submitting this form, I certify that:

1. I have received, reviewed, and understand AAUM’s Policy Regarding Access and Use of Alumni Data by Non-Employees (effective September 19, 2023) and I agree to abide by all statements referenced therein, as well as applicable state and federal laws, relating to the proper use of institutional data by non-employees.
2. I will be a responsible user of institutional data and will only access institutional data to carry out U-M and AAUM business appropriate to my role.
3. I will do my part to help ensure compliance with all relevant laws, regulations, and policies regarding sensitive institutional data.
4. I will comply with the provisions of SPG 601.07 (“Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan”) and SPG 602.05 (“Use and Release of Donor and Alumni Information”).
5. I will make every reasonable effort to maintain the privacy and integrity of institutional data.
6. I will appropriately secure sensitive institutional data obtained from any institutional data source, whatever the format.
7. Prior to sharing institutional data with others, I will ensure that recipients are authorized to access the data by consulting with AAUM. I will not disclose sensitive institutional data to any unauthorized person.
8. I will log off data systems when not using them.
9. I will keep my passwords secure and not share them with anyone.
10. I will dispose of sensitive institutional data, in whatever format, in an appropriate manner.
11. I will promptly notify AAUM (800.847.4764 or alumni@umich.edu) of any inappropriate use, disclosure, or breach of sensitive institutional data of which I become aware or if I think my account or password has been compromised.