What is sensitive data, and how is it protected by law?
In the course of its academic mission and its day-to-day administration, Indiana University collects large amounts of personal data on its students, faculty, and staff. Much of this data is not sensitive, and is in fact publicly available (e.g., names and telephone numbers). However, some of it is sensitive, including personal, financial, and legal information. Sensitive data include information protected by Indiana or federal law as well as that protected by university policy.
Following are some prominent examples of data protected by state and federal law and university policy. Often, context plays a role in data sensitivity; thus, this list is not exhaustive:
Personal and financial data, including:
- Social Security number (SSN)
- Credit card number or banking information
- Passport number
- Foreign visa number
- Tax information
- Credit reports
- Anything that can be used to facilitate identity theft (e.g., mother's maiden name)
Federally protected data, including:
- FERPA-protected information (e.g., student information and grades)
- HIPAA-protected information (e.g., health, medical, or psychological information)
State protected data
The state of Indiana has recently enacted data protection and disclosure laws, specifying certain data as sensitive "personal information". Indiana's notification law reads:
Sec. 3. (a) As used in this chapter, "personal information" means:
- An individual's:
- First name and last name; or
- First initial and last name; and
- At least one (1) of the following data elements:
- Social Security number
- Driver's license number or identification card number
- Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account
- An individual's:
University restricted or critical data
Human subjects research data
Following are some examples of non-sensitive data. Again, this list is not exhaustive:
- Publicly available information that is lawfully made available to the public from records of another federal or local agency
- Information that would appear in the telephone directory
- The last four digits only of a Social Security number or credit card number
For more about data protection, see Protecting Data.
Last modified on April 03, 2013.