What types of data are appropriate for my enterprise Box account?
Box at Indiana University is a flexible storage service and collaboration tool appropriate for use with personal files and institutional data classified as "Public" or "University-internal".
For examples of possible uses cases involving education record data, What kinds of tasks can I accomplish with my enterprise Box account?
You may not use your enterprise Box account to collect, process, or store data covered by laws that protect privacy or require security measures:
- Box is not appropriate for storing or sharing
institutional data classified as "Restricted", such as birthdates,
ethnicities, marital statuses, benefit enrollments, and grades.
- Box is not appropriate for storing or sharing institutional data classified as "Critical", such as Social Security and driver's license numbers, banking and student loan information, passwords and passphrases, PINs and credit card numbers, and electronic protected health information (ePHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Individuals who use enterprise Box accounts for university work are responsible for ensuring that sensitive institutional data are not placed or stored in unapproved or inappropriate locations. If you have sample cases that propose the use of Box for institutional data classified at higher levels, email the IU Committee of Data Stewards for consideration.
The Committee of Data Stewards and the University Information Policy Office (UIPO) define official classification levels and management standards for institutional data in accordance with IU's Management of Institutional Data (DM-01) policy:
- For help determining which types of data classified as "Critical"
are considered ePHI, see Which data elements in the classifications of institutional data are considered protected health information (PHI)?
- If you have questions about IU's classification of data elements,
contact the appropriate Data
- For help determining the highest classification of institutional data you can store on any given UITS service, contact the University Information Policy Office (UIPO).
For information about working with sensitive institutional data (including research-related ePHI) at IU, see:
- Which IU services are approved for storing ePHI or other types of sensitive institutional data?
- What are my responsibilities when using UITS systems for work with electronic protected health information?
- Protecting red-hot data: A guide to safe handling of critical information
Important: Before you begin using your enterprise Box account, be sure to revise your settings according to How do I securely set up my enterprise Box account?
The enterprise Box support content available here is a result of a collaborative effort by the Internet2 early adopter institutions.
Last modified on February 03, 2014.