Types of institutional data appropriate for Microsoft 365 at IU and Google at IU
Important:
Individuals who work with institutional data are responsible for ensuring that those data are stored in approved locations. In addition, regulated data such as health information or personally identifiable information are often subject to federal and state laws (for example, HIPAA and FERPA) that require users to apply additional security measures.
In accordance with laws and university policies that protect the privacy and security of institutional data, applications provided by the Microsoft 365 at IU and Google at IU services are appropriate for work with institutional data as follows:
- For personal files (or files that coworkers would not need if you left the university), UITS recommends using Microsoft OneDrive at IU or Google at IU My Drive.
- For work involving Public or University-Internal data, UITS strongly recommends using Microsoft Teams at IU or Google at IU Shared Drives.
- For work involving Restricted data or Critical data, you must use Microsoft at IU Secure Storage or Google at IU Secure Storage.
Note:Each secure storage site must delineate the types of sensitive data used; users must take appropriate compliance training(s). To request secure storage for use with Microsoft 365 or Google at IU, submit the Institutional storage request form.
Microsoft 365 and Google at IU applications are not appropriate for the following types of sensitive institutional data:
- Credit card or Payment Card Industry (PCI) data
- Information regulated by Export Control Laws, such as certain types of research or information about restricted items, technology, or software (see Office of Research Compliance: Export Control)
- Controlled Unclassified Information (CUI)
- Advancement data such as donor gift agreements, donor wealth information, and detailed donor giving information are not approved for these environments.
Official classifications for institutional data at IU are defined in Management of Institutional Data (DM-01). If you have questions about the classifications of institutional data at IU, see Classification levels of institutional data, use the Data Sharing and Handling (DSH) tool, or contact the appropriate Data Steward. To determine the most sensitive classification of institutional data you can store on any given UITS service, see Choose an appropriate storage solution.
Note:
Information classification levels may or may not correspond to the applicable regulation; for example, some information regulated by the Family Educational Rights and Privacy Act (FERPA) may be classified as Restricted, while other types of FERPA-regulated information are classified as Critical. Also, some information may be protected under multiple state and federal regulations (for example, Social Security numbers may be protected under HIPAA, FERPA, and/or state law.) Confirm the Classification levels of institutional data you are working with prior to uploading.
For information about working with sensitive institutional data at IU, see:
- Critical Data Guide
- About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information
For more about health information, see:
This is document bger in the Knowledge Base.
Last modified on 2021-09-07 15:49:10.