About working with institutional data at IU

On this page:


Overview

At Indiana University, institutional data (or information) is defined as:

Data in any form, location, or unit that meets one or more of the following criteria:

  • It is subject to a legal obligation requiring the university to responsibly manage the data.
  • It is substantive and relevant to the planning, managing, operating, documenting, staffing, or auditing of one or more major administrative functions, or multiple organizational units, of the university.
  • It is included in an official university report.
  • It is clinical data or research data that meets the definition of "university work" under the university's Intellectual Property Policy (UA-05).
  • It is used to derive any data element that meets the above criteria.

The University Data Management Council is responsible for establishing policies, procedures, and guidelines for managing institutional data at IU.

Data Stewards have management and policy-making responsibilities for specific data subject areas (e.g., student data, Human Resources data, faculty data, medical data, and research data, among others).

Data Managers, located in functional offices across the university (e.g., Admissions, Purchasing, Registrar, and Student Financial Aid, among others), are responsible for reviewing and approving requests for access to university information systems, and for ensuring that users of those systems receive appropriate orientation and training.

Official classification levels

Official classification levels for institutional data are defined in IU's DM-01 policy. From least sensitive to most sensitive, IU's official data classification levels for institutional data are:

  • Public: Few restrictions apply; public data generally can be released to the public upon request (e.g., name, jobs title, compensation, and business address)
    Note:
    If you receive a request for data classified as "Public", contact the appropriate Data Steward for advice. If the request is made pursuant to the Access to Public Records Act (Indiana Code 5-14-3), contact the Office of the Vice President and General Counsel (OVPGC), as well as the appropriate Data Steward, for advice.
  • University-internal: Anyone employed by IU on a part-time or full-time basis, or working under contract for IU, may access these data elements for the purpose of conducting university business (e.g., IU ID number, prior name, and part-time or full-time employment status)
    Note:
    Data classified as "University-internal" are freely available within the university but are not available to the general public. Proper access controls (i.e., permissions) must be set to prevent inappropriate access.
  • Restricted: Due to legal, ethical, or other constraints, this information may not be accessed without specific authorization, or only selective access may be granted (e.g., date of birth, home phone number, marital status, and military status)
  • Critical: Inappropriate handling of this information may result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, or unauthorized access by an individual or many individuals (e.g., student loan information, Social Security number, driver's license number, passport or Visa number, and state ID card number)
    Note:
    Personal health data protected by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule are classified as "Critical". For help determining which data elements classified as "Critical" are considered protected health information (PHI), see About protected health information (PHI) data elements in the classifications of institutional data .

Standards for managing institutional data

Indiana University has official standards for managing institutional data that apply to all users and administrators of university information technology resources. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing various institutional data elements.

If you work with institutional data at IU, you are responsible for meeting the university's official data management standards to prevent inappropriate disclosures of personal or confidential information. For details, see the university's Management of Institutional Data (DM-01) policy page.

Especially stringent standards apply to work involving sensitive institutional data (i.e., data elements classified Restricted or Critical). Always follow best practices when storing sensitive institutional data; for example:

For more on best practices for handling sensitive institutional data at IU, see:

Get help

To determine the approved storage options based on the type of data, use the Data Sharing and Handling (DSH) tool. The Data Sharing and Handling tool is intended to provide specific guidance on where to store institutional data, and general guidance on sharing, disposal and classification of institutional data.

If you have questions about IU's classification of data elements, contact the appropriate Data Steward.

For help determining the highest classification of institutional data you can store on any given UITS service, see About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information.

UITS provides consulting and online help for Indiana University researchers, faculty, and staff who need help securely processing, storing, and sharing data containing protected health information (PHI). If you have questions about managing HIPAA-regulated data at IU, contact UITS HIPAA Consulting. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. For additional details about HIPAA compliance at IU, see HIPAA Privacy & Security on the University Compliance website.

For more about managing institutional data at IU, see the IU Data Management website.

This is document avqg in the Knowledge Base.
Last modified on 2018-10-10 18:17:31.

Contact us

For help or to comment, email the UITS Support Center.