About working with institutional data at IU
On this page:
At Indiana University, institutional data (or information) is defined as:
Data in any form, location, or unit that meets one or more of the following criteria:
- It is subject to a legal obligation requiring the university to responsibly manage the data.
- It is substantive and relevant to the planning, managing, operating, documenting, staffing, or auditing of one or more major administrative functions, or multiple organizational units, of the university.
- It is included in an official university report.
- It is clinical data or research data that meets the definition of "university work" under the university's Intellectual Property Policy (UA-05).
- It is used to derive any data element that meets the above criteria.
The University Data Management Council is responsible for establishing policies, procedures, and guidelines for managing institutional data at IU.
Data Stewards have management and policy-making responsibilities for specific data subject areas (e.g., student data, Human Resources data, faculty data, medical data, and research data, among others).
Data Managers, located in functional offices across the university (e.g., Admissions, Purchasing, Registrar, and Student Financial Aid, among others), are responsible for reviewing and approving requests for access to university information systems, and for ensuring that users of those systems receive appropriate orientation and training.
Official classification levels
Official classification levels for institutional data are defined in IU's DM-01 policy. From least sensitive to most sensitive, IU's official data classification levels for institutional data are:
- Public: Few restrictions apply; public data
generally can be released to the public upon request (e.g., name, jobs
title, compensation, and business address)
Note:If you receive a request for data classified as "Public", contact the appropriate Data Steward for advice. If the request is made pursuant to the Access to Public Records Act (Indiana Code 5-14-3), contact the Office of the Vice President and General Counsel (OVPGC), as well as the appropriate Data Steward, for advice.
- University-internal: Anyone employed by IU on a
part-time or full-time basis, or working under contract for IU, may
access these data elements for the purpose of conducting university
business (e.g., IU ID number, prior name, and part-time or full-time
Note:Data classified as "University-internal" are freely available within the university but are not available to the general public. Proper access controls (i.e., permissions) must be set to prevent inappropriate access.
- Restricted: Due to legal, ethical, or other constraints, this information may not be accessed without specific authorization, or only selective access may be granted (e.g., date of birth, home phone number, marital status, and military status)
- Critical: Inappropriate handling of this information may result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy, or unauthorized access by an individual or many individuals (e.g., student loan information, Social Security number, driver's license number, passport or Visa number, and state ID card number)
Standards for managing institutional data
Indiana University has official standards for managing institutional data that apply to all users and administrators of university information technology resources. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing various institutional data elements.
If you work with institutional data at IU, you are responsible for meeting the university's official data management standards to prevent inappropriate disclosures of personal or confidential information. For details, see the university's Management of Institutional Data (DM-01) policy page.
Especially stringent standards apply to work involving sensitive institutional data (i.e., data elements classified Restricted or Critical). Always follow best practices when storing sensitive institutional data; for example:
- Never store sensitive institutional data on your desktop workstation, laptop, USB flash drive, tablet, smartphone, or other mobile device unless the data is properly encrypted on the device, and your senior executive officer or the IU Institutional Review Board (IRB) has issued prior written approval.
- Never store sensitive institutional data on an email or online storage system that is not part of the IU information technology environment.
- Always know what to do when a suspected sensitive data exposure occurs; for IU guidelines, see:
For more on best practices for handling sensitive institutional data at IU, see:
For help understanding how to securely handle, store, and share institutional data, use the Data Storage and Handling (DSH) tool.
If you have questions about IU's classification of data elements, contact the appropriate Data Steward.
For help determining the highest classification of institutional data you can store on any given UITS service, see At IU, which dedicated file storage services and IT services with storage components are appropriate for sensitive institutional data, including research data containing protected health information?
UITS provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you have questions about managing HIPAA-regulated data at IU, or need help, contact UITS HIPAA Consulting. For additional details about HIPAA compliance at IU, see HIPAA Privacy & Security on the University Compliance website.
For more about managing institutional data at IU, see the IU Data Management website.
This is document avqg in the Knowledge Base.
Last modified on 2017-04-19 17:05:44.
- Fill out this form to submit your issue to the UITS Support Center.
- Please note that you must be affiliated with Indiana University to receive support.
- All fields are required.