Data Privacy & Security
There are numerous state laws and standards that govern the use, security and protection of personal information, such as HIPAA/HITECH (federal law governing the privacy and security of personal health information), the Gramm-Leach Bliley Act (federal law related to financial institutions), Red Flag Rules (federal regulation aimed at identifying and preventing identity theft), the Payment Card Industry Data Security Standard (security standards for credit/debit/cash card transactions), and the state laws described below.
State Data Protection and Security Laws
There are three Indiana state laws related to data protection and security that are most frequently applicable to the University and its vendors.
- Social Security Number (SSN) law, Ind. Code § 4-1-10, prohibits the disclosure of SSNs except in very limited circumstances;
- Security Breach law, Ind. Code § 4-1-11, requires notice in the event of an unauthorized disclosure (breach) of personal information held by IU or its vendors. Personal Information means an individual’s name (either first and last, or first initial and last name) together with at least one of the following: SSN, Driver License or ID card number, account number, credit/debit card number, or security code, access code, or password of an individual’s financial account.
- Data Destruction law, Ind. Code § 24-4-14, requires safe disposal or destruction of some personal data held by IU.
The OVPGC works closely with University Information Security Office (UISO) to respond to potential and confirmed breaches of personal and institutional data.
If you have questions regarding data security and privacy, please feel free to contact OVPGC and/or the University Information Security Office. If you suspect a breach has occurred, please refer to the instructions at the UITS site.
- UITS portal
- Information Privacy & Security Program
- Protecting Data
- Reporting Security Incidents
- Data Protection Laws
- Policies & Guidelines on Institutional Data
Data Destruction Requirements
Indiana law requires the University to dispose of personal information in a secure manner. Ind. Code § 24-4-14. The University must also ensure that any vendor that has such data on behalf of IU also complies with the destruction requirements.
Personal Information is defined as an individual’s first name and last name (or first initial and last name) and at least one of the following: (i) SSN; (ii) driver’s license or identification card number; and/or (iii) account number, credit or debit card number, security code, access code, or password on an individual’s financial account.
However, if the data/personal information is encrypted, redacted, or otherwise obtained from publicly available sources, these destruction requirements will not apply.
Proper destruction of personal information under the law is defined as “shredding, incinerating, mutilating, erasing, or otherwise rendering information illegible or unusable.”
Note, if you already comply with the data security and destruction requirements of HIPAA or GLB, you are automatically deemed as complying with Indiana’s Data Destruction law (Ind. Code § 24-4-14).
Commonly Asked Questions Related to Indiana Law on Data Protection and Security
Q: What procedures must I follow in order to properly disclose an SSN or other sensitive data to an external organization or vendor?
A: If you need to provide SSN's or other sensitive data to external organizations or vendors, the IU Purchasing Department has standard language that needs to be included in the contract.
Q: What methods of disposal are sufficiently secure?
A: The law refers to "shredding, incinerating, mutilating, erasing, or otherwise rendering information illegible or unusable." For paper records, it is important to make sure that the shredder you are using shreds in a manner that renders the paper illegible or unusable.
Q: How should IU dispose of electronic data with sufficient security?
A: Please see IU’s guidelines regarding Securely Removing Data.
Q: May our office uses a commercial vendor to shred our paper records?
A: It is OK to use a commercial vendor to shred your paper records if the contract with the vendor has been reviewed and approved by Purchasing and University Counsel, to ensure that the vendor is responsible and that appropriate contract terms are in place to protect the security of the data and to obligate the vendor to take responsibility for any problems with data security on its end. The IU Purchasing Department can provide a list of commonly used vendors.
Q: This law talks about breaches of security in electronic systems. So does that mean that IU doesn't have to give notice if there is a disclosure of paper records with unencrypted personal information in them?
A: Although the Security Breach law only covers disclosures of electronic data, the SSN law includes disclosures of paper records. IU is required to give notice about a disclosure or exposure of paper records containing SSNs.
Q: What should my office do if there a disclosure of any of these types of data?
A: If at any time you become aware of an unauthorized disclosure or exposure of any of the above types of personal data, please immediately call your local campus Support Center or Network Operations Center, and send details to email@example.com. You can also refer to the instructions at the UITS site. The IT Policy and Security Office will coordinate incident response and ensure that all appropriate steps are taken. The Information Technology Policy and Security Office is charged with investigating incidents where sensitive institutional or personal data is suspected to have been exposed, and it has experienced and licensed forensic engineers on staff. This office will coordinate the immediate assembly of an Incident Team to advise and assist in containing and limiting the exposure, in investigating the attack, and in handling notification to the affected individuals and agencies.
Q: What if we're not sure if the computer that the data was on was compromised or not?
A: If at any time you have suspicion that an unauthorized disclosure or exposure of any of the above types of personal data may have occurred, please immediately call your local campus Support Center or Network Operations Center, and send details to firstname.lastname@example.org. Do not access or alter the compromised system. Do not power it off. The IT Policy and Security Office will assist in determining if an exposure occurred, and if so, will initiate appropriate response procedures.