Mobile

Guidelines for Use of Development Data on Personally Owned Devices

Overview

If you use personally owned devices to access Development Data (i.e. via the DART Mobile functionality), you are responsible for securing the data by properly self­managing the privacy and security settings on your device(s).

Certain elements of Development Data are categorized as Private Personal Information (PPI). Appropriate protection of PPI is required by law, contractual obligations and university policies. Specifically, this includes DART data, such as:

• Biographic/demographic data
• Contact information
• Prospect data
• Gift data

Personally Owned Devices include:

• Personal computers, laptops, smartphones, tablets, media players
• Removable media such as USB flash drives, external disk drives, DVDs, or any optical storage media that can be readily transferred from one electronic device to another

U-M Requirements

U-M Requirement	What does this mean?	Resources, References, and How-To's
Security When Traveling	Use the U­M VPN for the most secure Internet connection whenever possible. Avoid using free wireless services. Assume that any computer network you use is insecure, including those of friends you are staying with, in business centers, at cyber­cafes, or in libraries. Be especially careful when accessing sensitive personal or university data when traveling. Extra precautions should be taken when traveling to high­risk locations, such as China. Secure U­M Data and Protect Personal Devices and minimize the risk to loss or theft of the data on your mobile devices by taking some additional specific actions before, during, and after your trip.	Before You Travel While You Are Traveling When You Get Back Traveling to High­Risk Locations U­M Virtual Private Network (VPN)
Appropriate Use	As a rule, do not download sensitive institutional data to your personally owned devices. Exception: donor contact information may be maintained on a mobile phone. Access DART information on personally owned devices only when necessary for the performance of University­related duties and activities. Take all required, reasonable, and prudent actions necessary to ensure the security and retention of sensitive institutional data.	Manage Your Passwords Use and Release of Donor and Alumni Information
Personal Device Security Requirements	Maintain up­to­date, device­appropriate security safeguards and follow the policies, standards, and guidance provided by the University. The University or individual units may require that specific security settings and/or software to protect sensitive institutional data be put in place and maintained on the device.	Secure Your iPhone/iPad Secure Your Android Phone/Tablet Secure Your Windows Phone/Tablet Protect Your Personal Computer
Data Return or Deletion	Should you find you have sensitive institutional data maintained on personally owned devices, you must return or delete the information upon request from the University or when your role or employment status changes such that they are no longer an authorized user of that data.	Securely Delete Files
Incident Reporting	Personally owned devices that access or maintain sensitive institutional data and that are lost, stolen, have been subject to unauthorized access, or otherwise compromised must be reported within 24 hours.	Report an IT Security Incident
Personal Device Inspection	In the course of an incident investigation, the University reserves the right to inspect a personally owned device that accesses or maintains sensitive institutional data.	Personal Device Inspection
Response to Document Requests and Production	University employees, agents and affiliates must produce records or data (or the devices on which they are stored) upon request of the University.	Produce records or data upon request of the University

Additional Resources

• Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33)
• Institutional Data Resource Management Policy (SPG 601.12)
• Use and Release of Donor and Alumni Information (SPG 602.05)