Types of institutional data appropriate for Microsoft 365 at IU and Google at IU

Important:

Individuals who work with institutional data are responsible for ensuring that those data are stored in approved locations. In addition, regulated data such as health information or personally identifiable information are often subject to federal and state laws (for example, HIPAA and FERPA) that require users to apply additional security measures.

In accordance with laws and university policies that protect the privacy and security of institutional data, applications provided by the Microsoft 365 at IU and Google at IU services are appropriate for work with institutional data as follows:

For personal files (or files that coworkers would not need if you left the university), UITS recommends using Microsoft OneDrive at IU or Google at IU My Drive.
For work involving Public data or University-Internal data, UITS strongly recommends using Microsoft Teams at IU.
For work involving Restricted data or Critical data, you must use Microsoft at IU Secure Storage or Google at IU Secure Storage (only available as a paid option for departments).
Important:
- Shared storage in Google is available only as an option for departments that wish to pay for continued storage in Google.
- Due to limits to IU's storage footprint in the Google platform, all individual Google My Drives now have a 5 GB quota.
Note:

Each secure storage site must delineate the types of sensitive data used; users must take appropriate compliance training(s). To request secure storage for use with Microsoft 365, submit the Institutional storage request form.

Microsoft 365 and Google at IU applications are not appropriate for the following types of sensitive institutional data:

Credit card or Payment Card Industry (PCI) data
Information regulated by Export Control Laws, such as certain types of research or information about restricted items, technology, or software (see Office of Research Compliance: Export Control)
Controlled Unclassified Information (CUI)
Advancement data such as donor gift agreements, donor wealth information, and detailed donor giving information are not approved for these environments.

Official classifications for institutional data at IU are defined in Management of Institutional Data (DM-01). If you have questions about the classifications of institutional data at IU, see Classification levels of institutional data, use the Data Sharing and Handling (DSH) tool, or contact the appropriate Data Stewards. To determine the most sensitive classification of institutional data you can store on any given UITS service, see Choose an appropriate storage solution.

Note:

Information classification levels may or may not correspond to the applicable regulation; for example, some information regulated by the Family Educational Rights and Privacy Act (FERPA) may be classified as Restricted, while other types of FERPA-regulated information are classified as Critical. Also, some information may be protected under multiple state and federal regulations (for example, Social Security numbers may be protected under HIPAA, FERPA, and/or state law.) Confirm the Classification levels of institutional data you are working with prior to uploading.

For information about working with sensitive institutional data at IU, see:

For more about health information, see:

Types of institutional data appropriate for Microsoft 365 at IU and Google at IU

Related documents