What is sensitive data, and how is it protected by law?

In the course of its academic mission and its day-to-day administration, Indiana University collects large amounts of personal data on its students, faculty, and staff. Much of this data is not sensitive, and is in fact publicly available (e.g., names and telephone numbers). However, some of it is sensitive, including personal, financial, and legal information. Sensitive data include information protected by Indiana or federal law as well as that protected by university policy. For details, see Management of Institutional Data (DM-01).

The term "sensitive" is descriptive only; it is not an official classification under university policy. Sensitive data may fit into various classifications based on the legal requirements and use.

Following are some prominent examples of data protected by state and federal law and university policy. Often, context plays a role in data sensitivity; thus, this list is not exhaustive:

  • Personal and financial data, including:
    • Social Security number (SSN)
    • Credit card number or banking information
    • Passport number
    • Foreign visa number
    • Tax information
    • Credit reports
    • Anything that can be used to facilitate identity theft (e.g., mother's maiden name)
  • Federally protected data, including:
    • FERPA-protected information (e.g., student information and grades)
    • HIPAA-protected information (e.g., health, medical, or psychological information)
  • State protected data

    The state of Indiana has recently enacted data protection and disclosure laws, specifying certain data as sensitive "personal information". Indiana's notification law reads:

    Sec. 3. (a) As used in this chapter, "personal information" means:

    1. An individual's:
      1. First name and last name; or
      2. First initial and last name; and
    2. At least one (1) of the following data elements:
      1. Social Security number
      2. Driver's license number or identification card number
      3. Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account
  • University restricted or critical data
  • Human subjects research data
  • Passwords

Following are some examples of non-sensitive data. Again, this list is not exhaustive:

  • Publicly available information that is lawfully made available to the public from records of another federal or local agency
  • Information that would appear in the telephone directory
  • The last four digits only of a Social Security number or credit card number

For more about data protection, see Protecting Data.

This is document augs in the Knowledge Base.
Last modified on 2017-12-08 17:53:36.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.