About institutional data at IU
On this page:
- Overview
- Official classification levels
- Standards for managing institutional data
- Request institutional storage
- Get help
Overview
At Indiana University, institutional data (or information) is defined as:
Data in any form, location, or unit that meets one or more of the following criteria:
- It is subject to a legal obligation requiring the university to responsibly manage the data.
- It is substantive and relevant to the planning, managing, operating, documenting, staffing, or auditing of one or more major administrative functions, or multiple organizational units, of the university.
- It is included in an official university report.
- It is clinical data or research data that meets the definition of "university work" under the university's Intellectual Property Policy (UA-05).
- It is used to derive any data element that meets the above criteria.
The University Data Management Council is responsible for establishing policies, procedures, and guidelines for managing institutional data at IU.
Data Stewards have management and policy-making responsibilities for specific data subject areas, such as student data, Human Resources data, faculty data, medical data, and research data, among others.
Data Managers, located in functional offices across the university (for example, Admissions, Purchasing, Registrar, and Student Financial Aid, among others), are responsible for reviewing and approving requests for access to university information systems, and for ensuring that users of those systems receive appropriate orientation and training.
Official classification levels
Classification levels of institutional data are defined in IU's Management of Institutional Data (DM-01).
- If you receive a request for data classified as Public data, contact the appropriate Data Steward for advice. If the request is made pursuant to the Access to Public Records Act (Indiana Code 5-14-3), contact the Office of the Vice President and General Counsel (OVPGC), as well as the appropriate Data Steward, for advice.
- Data classified as University-Internal data are freely available within the university but are not available to the general public. Proper access controls (in other words, permissions) must be set to prevent inappropriate access.
- Personal health data protected by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule are classified as Critical data. For help determining which data elements classified as "Critical" are considered protected health information (PHI), see About protected health information (PHI) data elements in the classifications of institutional data.
Standards for managing institutional data
Indiana University has official standards for managing institutional data that apply to all users and administrators of university information technology resources. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing various institutional data elements.
If you work with institutional data at IU, you are responsible for meeting the university's official data management standards to prevent inappropriate disclosures of personal or confidential information. For details, see Management of Institutional Data (DM-01).
Especially stringent standards apply to work involving sensitive institutional data (data elements classified Restricted or Critical). Always follow best practices when storing sensitive institutional data; for example:
- Never store sensitive institutional data on your desktop workstation, laptop, USB flash drive, tablet, smartphone, or other mobile device unless the data is properly encrypted on the device, and your senior executive officer or the IU Institutional Review Board (IRB) has issued prior written approval.
- Never store sensitive institutional data on an email or online storage system that is not part of the IU information technology environment.
- Always know what to do when a suspected sensitive data exposure occurs; for IU guidelines, see:
For more on best practices for handling sensitive institutional data at IU, see:
- Data Sharing and Handling (DSH) tool
- Federal & International Regulations
- Guidelines for protecting sensitive data
- Critical Data Guide
- Your legal responsibilities for protecting data containing protected health information (PHI) when using UITS Research Technologies systems and services
Request institutional storage
If you have institutional data, you can request institutional storage in Microsoft Teams at IU. You'll need to specify the type of data, whether or not it is sensitive, and whether you need to collaborate externally. The system will then create storage tailored to your needs.
- Shared storage in Google is available only as an option for departments that want to pay for continued storage in Google.
- Due to limits to IU's storage footprint in the Google platform, all individual Google My Drives now have a 5 GB quota.
Get help
To determine the approved storage options based on the type of data, use the Data Sharing and Handling (DSH) tool, which provides specific guidance on where to store institutional data, and general guidance on sharing, disposal, and classification of institutional data.
If you have questions about IU's classification of data elements, contact the appropriate Data Steward .
For help determining the highest classification of institutional data you can store on any given UITS service, see About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information.
If you have questions about securing HIPAA-regulated research data at IU, email securemyresearch@iu.edu. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data; for more, see About SecureMyResearch. To learn more about properly ensuring the safe handling of PHI on UITS systems, see the UITS IT Training video Securing HIPAA Workflows on UITS Systems. To learn about division of responsibilities for securing PHI, see Shared responsibility model for securing PHI on UITS systems.
For more about managing institutional data at IU, see Data Management.
This is document avqg in the Knowledge Base.
Last modified on 2023-08-16 13:09:49.