About sensitive data at IU

In the course of its academic mission and its day-to-day administration, Indiana University collects large amounts of personal data on its students, faculty, and staff. Much of this data is not sensitive, and is in fact publicly available (for example, names and telephone numbers). However, some of it is sensitive, including personal, financial, and legal information. Sensitive data include information protected by Indiana or federal law as well as that protected by university policy. For details, see Management of Institutional Data (DM-01).

The term "sensitive" is descriptive only; it is not an official classification under university policy. Sensitive data may fit into various classifications based on the legal requirements and use.

Following are some prominent examples of data protected by state and federal law and university policy. Often, context plays a role in data sensitivity; thus, this list is not exhaustive:

  • Personal and financial data, including:
    • Social Security number (SSN)
    • Credit card number or banking information
    • Passport number
    • Foreign visa number
    • Tax information
    • Credit reports
    • Anything that can be used to facilitate identity theft (for example, mother's maiden name)
  • Federally protected data, including:
    • FERPA-protected information (for example, student information and grades)
    • HIPAA-protected information (for example, health, medical, or psychological information)
  • State protected data

    The state of Indiana has recently enacted data protection and disclosure laws, specifying certain data as sensitive "personal information". Indiana's notification law reads:

    Sec. 3. (a) As used in this chapter, "personal information" means:

    1. An individual's:
      1. First name and last name; or
      2. First initial and last name; and
    2. At least one (1) of the following data elements:
      1. Social Security number
      2. Driver's license number or identification card number
      3. Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account
  • Critical or Restricted data
  • Human subjects research data
  • Passwords

Following are some examples of non-sensitive data. Again, this list is not exhaustive:

  • Publicly available information that is lawfully made available to the public from records of another federal or local agency
  • Information that would appear in the telephone directory
  • The last four digits only of a Social Security number or credit card number

For more about data protection, see Protecting Data & Privacy.

This is document augs in the Knowledge Base.
Last modified on 2024-05-31 09:57:47.