At IU, what data elements are considered institutional data?
On this page:
According to Indiana University's Management of Institutional Data (DM-01) policy, the term "institutional data" applies to any information (in any form, location, or unit) that satisfies at least one of the following criteria:
- It is created, received, maintained, or transmitted as a result of educational, clinical, research, or patient-care activities.
- It is substantive, reliable, and relevant to the planning, managing, operating, documenting, staffing, or auditing of one or more major administrative functions of the university.
- It is used to derive any data element that meets the above criteria.
The Committee of Data Stewards is responsible for establishing policies, procedures, and guidelines for managing institutional data at IU. Each Data Steward has management and policy-making responsibilities for specific data subject areas (e.g., student data, Human Resources data, faculty data, medical data, and research data, among others).
Data Managers, located in functional offices across the university (e.g., Admissions, Purchasing, Registrar, and Student Financial Aid, among others), are responsible for reviewing and approving requests for access to university information systems, and for ensuring that users of those systems receive appropriate orientation and training.
Official classification levels
The Committee of Data Stewards and the University Information Policy Office (UIPO) have defined official classification levels for institutional data, in accordance with IU policy.
Following, from least sensitive to most sensitive, are the official data classification levels for institutional data at Indiana University:
- Public: Few restrictions apply; public data
generally can be released to the public upon request (e.g., name, jobs
title, compensation, and business address)
Note: If you receive a request for data classified as "Public", contact the appropriate Data Steward for advice. If the request is made pursuant to the Access to Public Records Act (Indiana Code 5-14-3), contact the Office of the Vice President and General Counsel (OVPGC), as well as the appropriate Data Steward, for advice.
- University-internal: Anyone employed by IU on a
part-time or full-time basis, or working under contract for IU, may
access these data elements for the purpose of conducting university
business (e.g., IU ID number, prior name, and part-time or full-time
Note: Data classified as "Public" are freely available within the university but are not available to the general public. Proper access controls (i.e., permissions) must be set to prevent inappropriate access.
- Restricted: Due to legal, ethical, or other constraints, this information may not be accessed without specific authorization, or only selective access may be granted (e.g., date of birth, home phone number, marital status, and military status)
- Critical: Inappropriate handling of this
information may result in criminal or civil penalties, identity theft,
personal financial loss, invasion of privacy, or unauthorized access
by an individual or many individuals (e.g., student loan information,
Social Security number, driver's license number, passport or Visa
number, and state ID card number)
Note: Personal health data protected by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule are classified as "Critical". For help determining which data elements classified as "Critical" are considered protected health information (PHI), see Which data elements in the classifications of institutional data are considered protected health information (PHI)?
For more, see Classifications of Institutional Data.
Standards for managing institutional data
The IU Committee of Data Stewards and University Information Policy Office (UIPO) have established official standards for managing institutional data that apply to all all users and administrators of IU information technology resources. These standards include rules for managing access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing various institutional data elements.
If you work with institutional data at IU, you are responsible for meeting the university's official data management standards to prevent the inappropriate disclosure of personal or confidential information. For details, see Standards for Management of Institutional Data.
Especially stringent standards apply when working with sensitive institutional data (i.e., data elements classified Restricted or Critical). Always follow best practices when storing sensitive institutional data; for example:
- Never store sensitive institutional data on your desktop workstation, laptop, USB flash drive, tablet, smartphone, or other mobile device unless the information is properly encrypted on the device, and your senior executive officer or the IU Institutional Review Board (IRB) has given prior written approval.
- Never store sensitive institutional data on an email or online storage system that is not part of the IU information technology environment.
- Know what to do if a suspected sensitive data exposure occurs; see:
For more on best practices for handling sensitive institutional data, see:
- Federal & State Data Protection Laws
- Guidelines for handling electronic institutional and personal information
- Protecting red-hot data: A guide to safe handling of critical information
If you have questions about IU's classification of data elements, contact the appropriate Data Steward.
For help determining the highest classification of institutional data you can store on any given UITS service, contact the University Information Policy Office (UIPO), or see At IU, which dedicated file storage services and IT services with storage components are appropriate for sensitive institutional data, including research data containing protected health information?
UITS provides consulting and online help for Indiana University researchers who need help securely processing, storing, and sharing data containing PHI. If you have questions about managing HIPAA-regulated data at IU, or need help, contact UITS HIPAA Consulting. For additional details about HIPAA compliance at IU, see HIPAA Privacy & Security on the Office of Vice President and General Counsel (OVPGC) website.
This is document avqg in the Knowledge Base.
Last modified on 2015-09-30.
- Fill out this form to submit your issue to the UITS Support Center.
- Please note that you must be affiliated with Indiana University to receive support.
- All fields are required.