ARCHIVED: Dealing safely with University ID numbers

Disclosing a UID

As a student education record, the student University ID (UID) is classified as university-internal institutional data. Thus, it is protected as a student education record under the federal Family Educational Rights and Privacy Act (FERPA), receiving the same confidentiality/privacy treatment as other FERPA-protected university-internal data. Consistent with FERPA, UIDs may be shared, in full, with others within Indiana University who need to have them to conduct university business. However, they cannot be shared or disclosed (outside of IU or to those internally who do not require access to it to perform their jobs) without either the student's written permission or an exception under FERPA permitting the disclosure.

Transmitting a UID

The University Information Policy Office advises caution when transmitting UIDs. If it would be disruptive to your business operations to forgo emailing the UID, you can include it in the body of an email message or as an attachment; however, the Policy Office recommends a more secure medium. UIDs should never appear in the subject line of an email message. Also, when sending email, it is critical that you enter the correct recipients in the "To" and "CC" lines.

UIDs as authentication

Units must not create web applications or other processes permitting access to other sensitive identifying information (e.g., names or Social Security numbers) solely with a UID, since allowing such applications would require implementation of much stricter security measures in order to protect access to and misuse of the UID.