Institutional Data is sorted into categories based on how sensitive and important it is, following the guidelines in IT Policy DM-01: Management of Institutional Data. This helps ensure the data is handled and shared correctly. The Data Classification Matrix helps identify how different types of data are classified at IU and outlines the legal and regulatory requirements the university must follow.
| Domain | Subdomain | Classification | Definition | Examples | Laws & regulations | Notes | Policies |
| Advancement | Administrative | Restricted | Corporate data collected and maintained for the operations of the IU Foundation and IU Alumni Association including, but not limited to, endowment and financial data, and donor intent. | Organization financial and administrative information (e.g. HRMS, scholarship) | The Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Employment Privacy Laws | Some examples are sourced from IU systems, including student, but some have their own domain of IU systems. | |
| Advancement | Alumni Trade Secret | Restricted | Data collected for the purpose of identifying, soliciting, and stewarding prospective and current alumni. | Donor and academic records,Educational background,Campus activity,Financial aid,Scholarship,Information collected once a student is an alumnus | The Family Educational Rights and Privacy Act (FERPA) for directory and academic records, Indiana State Breach Notification Law, but shielded from open records laws. | This information can be sourced by student info systems and by individual alumni/donors after graduation. | |
| Advancement | Donor Trade Secret | Restricted | Data collected for the purpose of identifying, soliciting, and stewarding prospective and current donors. | Name,Address,Telephone number,Relationship information,Giving information ,Wealth,Giving score,Development priorities ,Development strategy,Contact reports | Indiana State Breach Notification Law, but shielded from Open Records laws. | This data can be stored in Crimson, sourced from student systems, third parties, or individual donors. Donors may include IU employees but there is no direct feed from HRMS. | Subpoenas and Requests for University Records |
| Employee | Public record information | Public | Data required by the State of Indiana to be produced upon the receipt of a public records request | Name,Business address,Business phone,Job title,IU email address,Compensation,Dates of first and last employment at IU,Education and training background,Job description,Previous work experience | Indiana Code 5-14-3, Access to Public Records Act (APRA) | Information reviewed by Legal Counsel prior to disclosure to requestor. | |
| Employee | Employee health - admin | Critical | Medical information collected for employment related cases (not covered under HIPAA) | Medical information related to FMLA,Worker's compensation,ADA claims | |||
| Employee | Employee Relations - Case Files and Terminations | Critical | Records related to employee relations activities that contain data elements identified as Critical or contain highly sensitive information | Employee relations case files,Termination letters | |||
| Employee | Employee eligibility and verification | Critical | Records related to employment verification that contain data elements identified as Critical or contain highly sensitive information | Form I-9,Personal profile form,Supporting documentation for I-9 (copy of passport, driver's license, visa) | |||
| Employee | Employee relations - other | Restricted | Records related to employee relations functions that contain data elements classified as Restricted or contain sensitive information | ADA accommodations letter,Grievance related forms,Job action reasons (e.g., "medical leave", "gross misconduct", etc.),Performance improvement plans,Discrimination, harassment, and sexual misconduct complaints-case files | |||
| Employee | Talent acquisition | Restricted | Records related to recruiting that contain data elements classified as Restricted or contain sensitive information | Background check reports,Hiring committee notes collected during hire process,Job applications | |||
| Employee | Personnel | University internal | Records related to employment, position classification, offer letters, wage or salary, employee relations, training, attendance, etc. containing | Faculty Annual Reviews,Faculty reappointment decisions,Offer Letters,Position files (position descriptions and position requisition forms),Performance Reviews,Promotion and Tenure recommendations and votes,Telecommuting agreements,Awards or Commendations | |||
| Employee PII - Personally Identifiable Information | Sensitive Identifiers | Critical | Data collected about an employee as part of the employment process that is highly sensitive and may be protected by Indiana State data protection laws | Banking information,Biometrics (i.e. finger print, hand scan, full facial scan),Credit card information,Driver's License number,Passport number,Personal health information,Social Security number,Visa number | Indiana Code 4-1-10: Release of Social Security Number | ||
| Employee PII - Personally Identifiable Information | Personal Demographics | Restricted | Personal information collected about an employee throughout the employment process | Last 4 digits of SSN,Home address,Home phone,Gender,Ethnicity,Marital status,Veteran status,Disability status,Date of birth,Age | |||
| Employee PII - Personally Identifiable Information | University Assigned Identifiers | University internal | Unique identifiers assigned to an employee as part of the employment process | University ID | |||
| Facilities | Room Data | University internal | State and Federal Reporting:  Feeds valid building/room/address into PeopleSoft for class scheduling, Kuali for asset tracking and purchasing-Responsibility center space costing-generates facilities RandR funding and indirect cost recovery rate.  Existing room inventory is the basis for planning new facilities. | Departmental assignment,Number of seats-with associated floor plans ,Official room numbers,Office occupant (person),Square feet area,Type of space | |||
| Facilities | Facility work orders-MMS-Maintenance Management System (AIM) | University internal | Tracking Facility maintenance for IU Buildings along with related shop assignment, status, cost and billing | Facility maintenance management/physical plant requests: From new keys/locks to small renovations including preventive maintenance | |||
| Facilities | Animal quarters room detail | Restricted | Tracking, reporting and planning new facilities. | Rooms classified as animal quarters | |||
| Facilities | Teaching Room Utilization | University internal | Measures use of teaching rooms for efficiency and future planning | Consists of an extract of Student Census blended with building/room data | |||
| Facilities | Project data: e-Builder | University internal | Information tracking  facility projects from conception to completion including status, budget, actual cost, project drawings. | Reporting,Task assignment,Budget,Status,Efficiency,Billing | |||
| Facilities | Project related data-Bank account #'s | Restricted | Project related billing/income | Project related data,Bank account numbers | |||
| Facilities | Campus Map | Public | Used for general way finding. | Aerial imagery,Building names,Building addresses,Emergency phones,Lighted pathways,Parking | |||
| Facilities | Utilities | Restricted | Data regarding IU infrastructure and underground utilities | State reporting/tracking/emergency shut off/locating of underground utilities | |||
| Facilities Building Data | Demographic Information | Public | State and Federal Reporting:  Provide information to university community and consultants working on IU projects | Official building codes/names,Street address,Building size,Year of construction,Ownership IU Building List: https://cpf.iu.edu/maps-floor-plans/building-list/index.html | IU Naming Policy | ||
| Facilities Building Data | Life safety | Restricted | Provided to IU Emergency Responders on all campuses | Detailed floor plans showing gas, water, sprinkler,shut-offs, hazardous materials | |||
| Facilities Building Data | Egress plans | University internal | Used for planning, drills, posting within buildings | Basic floor plans showing egress routes and shelter areas | |||
| Financial | Capital Asset Data | University internal | Information gathered when purchasing and creating assets in the Capital Asset Management System. | Asset description,Create date,Location information,Manufacturer,Model,Status code,Tag number,Type,Useful life,Vendor | Some information may be produced upon the receipt of a public records request. Indiana Code 5-14-3, Access to Public Records. | FIN-ACC-I-150 Ownership, Depreciation and Capitalization of University Assets FIN-ACC-I-170 Custody and Physical Confirmation of Capital Moveable Equipment | |
| Financial | Capital Asset Payment Data | University internal | Payment data related to the purchase, depreciation, transfer and disposal of capital assets. | Asset cost amount,Accumulated deprecation,Payment account and funding source | Some information may be produced upon the receipt of a public records request.  Indiana Code 5-14-3, Access to Public Records. | FIN-ACC-I-150 Ownership, Depreciation and Capitalization of University Assets. | |
| Financial | Chart of Accounts | University internal | The infrastructure that provides valid values, data validation and financial document rules checking. | Account guidelines,Consolidations,Levels,List of accounts,Object codes,Organizations | Policies including, but not necessarily limited to FIN-ACC-I-1 Role of Fiscal Officer Account Manager and Account Supervisor FIN-ACC-10 Ranking of Fiscal Officer, Account Supervisor, Account Manager, and Delegation of Signature Authority | ||
| Financial | Cost Accounting - Facilities and Administration rate | University internal | Data is collected from numerous data bases and other sources to be summarized by the cost accounting system by cost pool to develop and negotiate a proposed FandA with the U.S. Department of Health and Human Services rate to facilitate the recovery of the proportionate share of facilities and administrative cost for sponsored programs. | Asset information from the Capital Asset Management system,Financial information from the General Ledger and Labor Ledger;,High level statistical data from Human Resources, Student and other IU departments, Interest by building from Treasury,Space and room function information from Space Management,Specific manual detail data collected and maintained from various departments | Various applicable federal laws and regulations, including but not limited to: Title 2: Grants and Agreements PART 200—UNIFORM ADMINISTRATIVE REQUIREMENTS, COST PRINCIPLES, AND AUDIT | ||
| Financial | Cost Accounting: Recharge/Service Center Compliance Review | University internal | Data is collected from departments that manage Recharge/Service Centers that bill other IU accounts to assure compliance with applicable university policies and federal regulations. | Asset information from the Capital Asset Management system;,Financial information from the General Ledger and Labor Ledger,High level statistical data from Human Resources;,Interest by building from Treasury,Specific manual detail data collected and maintained from various departments | Various applicable federal laws and regulations, including but not limited to Title 2: Grants and Agreements PART 200—UNIFORM ADMINISTRATIVE REQUIREMENTS, COST PRINCIPLES, AND AUDIT | University policies including, but not limited to: FIN-ACC-400 Formula for Setting Recharge Center Rates | |
| Financial | Ledger Transactions | University internal | Accounting entries contained in the university General Ledger and Labor Ledger and source documentation. | Financial transactions from KFS e-Docs (Cash Receipts, DVs, Procurement Card, Transfer of Funds, Distribution of Income/Expense, Journal Vouchers, Accrual Vouchers, Salary Transfers, Benefit Transfers),Financial transactions from other enterprise systems (Payroll, Travel, Student, Material Management),Financial transactions from subsidiary systems. | Some information may be produced upon the receipt of a public records request.  Indiana Code 5-14-3, Access to Public Records. | FIN-ACC-90 Public Inspection of Indiana University Accounts Receipts and Expenditures (ARCHIVED) | |
| Financial | Treasury: Electronic Claims Table | Critical | Records related to electronic payments made to the university. | Banking information,Credit card data,Customer name,Date of service,Invoice number,Passport number,Social security number,Student ID number | Note: IU does not have any control as to what information is provided by the customer or third party payer. However, the information that is provided is critical in applying payment.  New activities must be approved by the Revenue Producing Activity Committee (RPAC) prior to accepting revenue (VI-121).  Once approval has been obtained from RPAC, the unit may be granted access to the Electronic Payment Claims Table if the unit also meets the requirements outlined in the Accounts Receivable Standard Operating Procedure (ARSOP) #5:  Access to the Electronic Claims Table and has received approval from the Office of the Treasurer and Non-Student Accounts Receivable. | FIN-TRE-120 Processing Revenue | |
| Financial | Commitments | Restricted | An assurance, obligation, plan, or pledge within or between units of the university.  Commitments may fall outside the encumbrance process and may be one-time or long-term in nature. | Dean agrees to fund a special project or program for the Chair of a department,Funds are pledged for new faculty or university initiative start-up costs | Some information may be produced upon the receipt of a public records request.  Indiana Code 5-14-3, Access to Public Records. | ||
| Financial Accounts Payable | Vendor Tax Information | Critical | Data collected for tax reporting requirements associated with domestic payments. | SSNs for IRS Tax identification (sole proprietors) | Indiana Code 4-1-10: Release of Social Security Number Indiana Code 4-1-11: Notice of Security Breach | ||
| Financial Accounts Payable | Vendor Bank Info (Invoice) | Restricted | Banking information provided on vendor invoices. | Bank Information | Certain vendors publish their bank account information by standard practice on the face of each invoice. | ||
| Financial Accounts Payable | Payment Documentation | Restricted | Supporting documentation to provide an accurate audit trail for payment reason. | General supporting documentation (utilities, supplies, etc.) for Disbursement Voucher, Payment Requests, and Procurement Card purchases. | Some information may be produced upon the receipt of a public records request.  Indiana Code 5-14-3, Access to Public Records. | FIN-ACC-420 Disbursement Voucher Supporting Documentation | |
| Financial Cash Control | Bank Balancing Data | Critical | Reconciliation of bank transactions, bank statement data and how bank data relates to general ledger activity. | Bank statements,Credit card income reconciling,Daily general ledger transaction data | |||
| Financial Cash Control | Custodial Funds | University internal | Custodial funds are maintained on an imprest basis and are authorized to be used by a designated custodian to meet a specific operational need within the custodian's area of responsibility that cannot be accommodated by normal payment procedures, including the use of purchase orders, departmental purchase orders, or disbursement vouchers. Data in this area is maintained to assure proper controls to safeguard funds and facilitate reconciliation of activity to the general ledger. | Custodial fund history,Agreements,Revalidation,Reconciliation data | FIN-ACC-I-560 Custodial Funds | ||
| Financial Cash Control | Unclaimed Property | Critical | Analysis and maintenance of data for disbursement, vendor, and bank activity used to track outstanding check register items after the six months stale date to attempt to locate and pay the payee or escheat the unclaimed property to the respective state government based on payee's last know address. | Payroll checks,Refund checks,Stale bursar checks,Vendor checks | Indiana Code 32-31: Lost or Unclaimed Personal Property High level subject to Freedom of Information Act (FOIA) Other US States and DC applicable unclaimed property laws | Outstanding items are escheated to state governments based on the last known address of payee and  the respective state's statute regarding unclaimed property. | FIN-ACC-I-530 Write-Off of Outstanding University Checks |
| Financial Non-student Accounts Receivable | Payment Processing | University internal | Records related to how the payment was received (i.e., lockbox, credit card, ACH) and how the payment was applied. | Amount of funds received, Check number,Customer name,Date,Processing organization | The Application document documents how the funds were applied. The document allows the user to apply to a specific customer and invoice, move the funds outside of the accounts receivable module or place it in unapplied while we research where the funds should be applied. | ||
| Financial Non-student Accounts Receivable | Accounts Receivable System | University internal | Records related to customer information, invoices, billing organization and processing organization information, customer credit memos and related AR reports. | Aging reports,Billing statements ,Customer name,Customer address,Customer phone,Description of items and quantity ordered,Invoice reports | FIN-ACC-I-490 Non-Student (External) Accounts Receivable, Annual Write-off Report | ||
| Financial Non-student Accounts Receivable | Write-offs | University internal | Data related to University write-offs. | Amount being written off,Customer number,Explanation of why invoice is being written off, Invoice number that is being written off | FIN-ACC-I-500 Write-Off of Accounts | ||
| Financial Payroll | HR Personally Identifiable Information | Critical | Records related to Employee tax, deduction, and direct deposit setup.  All paycheck wage, tax, benefit, and deduction detail including year-end tax reporting. Detailed attendance and Kuali Time data. | Bank account numbers,Direct deposit,Social security number | Indiana Code 4-1-10: Release of Social Security Number | ||
| Financial Payroll | HR Tax Records | Restricted | Records related to Employee tax, deduction, and direct deposit setup.  All paycheck wage, tax, benefit, and deduction detail including year-end tax reporting. Detailed attendance and Kuali Time data. | Contributions,Deductions,Employee tax | |||
| Financial Payroll | HR Timesheet Records | University internal | Records related to Employee tax, deduction, and direct deposit setup.  All paycheck wage, tax, benefit, and deduction detail including year-end tax reporting. Detailed attendance and Kuali Time data. | Funding data,Timesheet data | |||
| Financial Student Loans | Demographic and Loan Information | Critical | Contact/Demographic data related to the borrower and all related loan information. | Adjustments,Assignment,Cancellation and benefit data,Demographic data related to the borrower, Loan disbursement amount,Payment information,Promissory note | Family Educational Rights and Privacy Act (FERPA) Indiana Code 4-1-10: Release of Social Security Number | ||
| Financial Student Loans | Collection Data | Critical | Contact/Demographic data related to the delinquent account. | For internal collections: audit trail of correspondence with the borrower or delinquent account (i.e. letters, emails, memos). For external collections: Contact information for parents, spouse, relatives, credit bureau information, agency placement, acceleration data,For external collections: contact information for parents, spouse, relatives, credit bureau information, agency placement, acceleration data | Family Educational Rights and Privacy Act (FERPA) | ||
| Financial Tax Reporting | Periodic Reporting/Returns | Critical | Returns/forms filed to satisfy Federal, State, Local, and International reporting requirements. | 941, ST-103, 990-T,720,8300,8038,8233,W-7,Sales, excise and withholding taxes | Various Federal, State, Local, and International taxing authorities | ||
| Financial Tax Reporting | Reportable Payments and Forms | Critical | Forms generated to satisfy Federal, State, Local, and International reporting requirements for payments made. | 1099 series,W-2,1098-T,1042-S,New hire reporting with states, Unemployment reporting through ADP | Various Federal, State, Local, and International taxing authorities | ||
| Financial Tax Reporting | Employee, Student, and Vendor Info | Critical | Data collected for governmental taxation requirements (e.g. - Federal, State, Local withholding and tax treaty benefits for payments to a foreign student, employee or vendor | Copies of passports,Copies of VISAs,Citizenship ,SSN | 26 U.S. Code Chapter 3, Subchapter A - Nonresident Aliens and Foreign Corporations Indiana Code 4-1-10: Release of Social Security Number | ||
| Financial University Budget Office | Official Budget | University internal | The Official Budget provides the Trustee Approved IU budget. | Base, Current and Monthly budgets by chart,Base, Current and Monthly budgets by Fund Group,Base, Current and Monthly budgets by Division/Organization | Some information may be produced upon the receipt of a public records request.  Indiana Code 5-14-3, Access to Public Records. | FIN-BUD-1 Official Budget | |
| Financial University Budget Office | Credit Hours | University internal | Credit hours and enrollment history information. | Credit hour enrollment figures, excluding Advanced College Placement (ACP), for the previous semester by campus,Credit hour enrollment figures, excluding Advanced College Placement (ACP), for the previous semester by Responsibility Center (RC) | Some information may be produced upon the receipt of a public records request. Indiana Code 5-14-3, Access to Public Records. | ||
| Financial University Budget Office | Approved Fee Rates | Public | Instructional and Other Mandatory and Non-Instructional Fee Rates as approved by the Trustees of Indiana University. The Non-Instructional fees contain the administrative and course-related fees approved by the VPCFO. | Student activity fee,Technology fee | |||
| Financial University Budget Office | Operating and Appropriation Requests | University internal | The operating, fee replacement, and special state appropriation request prepared by instructions issued by ICHE and the State Budget Agency. Recently request has been based on performance funding. | Operating, fee replacement, special state appropriations | Some information may be produced upon the receipt of a public records request. Indiana Code 5-14-3, Access to Public Records. | ||
| Health | Patient or Member of Health Plan | Critical | Individually identifiable health information created or received by a health care provider (health care providers include, but are not limited to: physicians, dentists, optometrists, psychologists, nurse practitioners, hospitals, nursing homes and clinics) | Any dates such as: Birth, Service, Payment, Appointment, Death, Visit,Any unique identifying number, characteristic or code (e.g. unique diagnoses, unique physical feature: tattoo, world’s tallest person, 5 time MVP),Biometrics (i.e. finger print, hand scan, full facial scan),Demographic information such as: Name, Street Address, City, Zip Code, Phone Number, Email Address,Full facial photographs or similar images,Medical Records: Treatments, Diagnoses, Diagnostic Tests, Plan of Care, Surgeries, Outcomes,Numbers such as: Account, License Plate, Medical Record Number, Device Serial Number, Social Security Number, Insurance ID,Records that include: Drug and Alcohol Abuse, Sexually Transmitted Diseases (e.g. HIV), and Mental Health Status | Covered Entity – HIPAA Privacy and Security Rules and State Laws Non-Covered Entity – State Laws | Health information is protected under both federal and state laws. IU is a covered entity, meaning IU must protect health data complying with the requirements under HIPAA. There are exceptions: HIPAA does not apply to health data in employee records maintained for employment purposes or student education / treatment records. | |
| Health | Student - Administrative Data | Restricted | Individually identifiable health information directly related to a student and maintained by the University for administrative purposes; included in the student education record. | Doctor's note for reduced course work,Immunization records,Physicals including those for athletes | Family Educational Rights and Privacy Act (FERPA) | If a person is an employee and a student, the subdomain is determined by the reason the health information was collected.  Health information required and collected based on the individual's role as a student would fall under this subdomain, even if the individual is also employed by IU (e.g. immunizations, athletic physicals, etc.). | |
| International Documents | International Admissions and Services Operations | Restricted | Documents and data used for processing international applicants | Foreign transcripts or other academic transcripts | Record is used for the sole purpose of treating the student and are not available to anyone other than the student and the persons providing such treatment.  | ||
| International Documents | Immigration Tracked Information | Critical | Documents required to be maintained by Indiana University. | Bank statements,Copies of passports,Copies of VISAs,Doctor medical exception note,Job offer letters | DHS / ICE: Operations of United States Immigration and Customs Enforcement’s Secure Communities | ||
| International Documents | International Partnerships | Restricted | Agreements made with entities in other countries for exchange programs, research, teaching and learning, international developments | Agreements,Notes from discussion leading up to the agreements | |||
| International Documents | Honors Program in Foreign Language | Critical | Grade information,Lists,Student application,Where going,When going | ||||
| International Data | Immigration Tracking Information | Restricted | Data maintained in SEVIS database, and managed by Indiana University and reported into SEVIS. | Audit/alert data,Category classification,Expense and funding numbers (no accounts),Field of study,Fields to comply with employment authorization,Program begin and end date,SEVIS number,Subject area | DHS / ICE: Operations of United States Immigration and Customs Enforcement’s Secure Communities (Revised) | ||
| International Data | Employment Based Public Inspection File and Notices | Public | Information for H1B or PR residency required by USCIS and DOL to be made actively public (i.e. posted to the web for duration of time) as part of a petition process. Information required to allow work in US and petition for permanent residency for approval and public inspection requirements. | Information tied to job (not person),Notice of intent to hire an H1B, labor certification posting notice, Public inspection file and related documents/details | Department of Labor: H-1B Program | Required to be public generally for audit from DOL. | |
| International Data | Immigration Petition for Employment | Critical | Data used to petition for employment (H1B, E3, O1, etc) authorizations, and permanent residency. | Generally I-129 or I-140 and supporting documentation or information which may contain SSN or other critical data | USCIS: H-2B Employer Data | ||
| International Data | Immigration Position Review | Restricted | Data tracked to review the position | Audit/alert data,H1B (etc) approval periods,iCert data,LCA periods and minimum required wage information,PERM data,Snapshots for scholar reporting | |||
| International Data | International Admissions and Services Operations | Restricted | Workflow data that is used to manage people through the full process of international lifecycle processes (admissions, pre-arrival, scholar services, study abroad) with communication plans as well. | Approvals,Communications,Dates,Stages,Status | |||
| International Data | Study Abroad Program Data | Public | General information about Study Abroad programs | Study abroad program | |||
| International Data | Study Abroad Student Participant Tracked Data | Critical | Study Abroad applications and admissions data, verified duplicates of identity and citizenship confirmation documents | Copies of passports,Copies of VISAs | |||
| Library | Circulation | Restricted | Records related to library patrons, library management system users, and materials borrowing | Bills and fines,Current address/phone,Current checkouts and holds,DOB (for Indiana resident non-IU faculty/staff/students),E-mail address,Name,Permanent address/phone,Usernames and passwords for staff authorized to use WorkFlows client for staff access to library management system | Family Educational Rights and Privacy Act (FERPA) | Staff User Records are classified as Critical. Maintained in SirsiDynix Symphony library management system and mirrored in IU Data Warehouse. | IU Libraries Privacy Policy LIB-01 |
| Library | Acquisitions | University internal | Records related to purchasing of materials and subscriptions for the Libraries | Addresses,Company name,Contact names,Invoices,KFS vendor file IDs,Payment requests,Phone numbers,Purchase orders | Maintained in SirsiDynix Symphony library management system and mirrored in the IU Data Warehouse. | ||
| Library | Bibliographic | Public | Bibliographic and item records for materials held by the Libraries | Author,Call number,Checkout/hold status,Dates,Due date,Identifiers,Library location,Notes,Publisher,Subjects,Title | Maintained in SirsiDynix Symphony library management system and mirrored in ODS; publicly accessible via iucat.iu.edu and Z39.50 protocol | WorldCat Rights and Responsibilities for the OCLC Cooperative | |
| Library | Circulation - Archive | Critical | Records of old bills and fines pre-September 2004 | Item information,Patron information including SSNs as university ID numbers | Family Educational Rights and Privacy Act (FERPA) | Historical datagroups; only in IUIE; Records are accessible only to data managers and top-level circulation staff for purposes of troubleshooting and historical reporting | IU Libraries Privacy Policy LIB-01 |
| Purchasing | General purchasing | University internal | Data related to University goods and services procurement activity. | Vendor information,Purchase requisitions,Purchase orders,Vendor contracts and agreements | Subject to open records law, University policy, signature authority, and federal laws for sponsored program accounts. | ||
| Purchasing | Purchase Order Involving Lab Animals | Restricted | Information related to the researcher’s identity and purchased items. | Lab animal locations, numbers, types,Researcher name, address, etc. | |||
| Purchasing | Vendor Tax IDs | Critical | Could be SSNs for sole proprietors | Indiana Code 4-1-10: Release of Social Security Number | |||
| Purchasing | Vendor Bid Documentation | Restricted | Details of a response to an RFQ/RFI/RFP solicitation prior to award,Vendor specifications,Price quotations,Other proprietary bid information | Per Indiana Code 5-22-9-4, “Proposals must be opened so as to avoid disclosure of contents to competing offerors during the process of negotiation.” | FIN-PUR-10: Release of Procurement Records | ||
| Purchasing | Awarded Bid Information | Public | Amount of bid,Name of company,Proprietor submission,Response to bid | Public, with limited exceptions for contractually bound confidentiality. Per IU Policy FIN-PUR-10, “Records related to procurement activities may be released by Purchasing Department personnel and/or University Counsel only upon review and authorization by University Counsel and the Associate Vice President, University Procurement Services.” | |||
| Office of Research Administration Grants | Research Proposal Development | University internal | Data related to Research Grant proposal and budget development in pre-submission to a sponsor. | Funding level proposed,Funding source,Intellectual and financial credit splits,Lead units involved in the research,Principal investigators and key persons names,Proposal documents,Title of proposal/study | Faculty member submits a proposal to NSF for funding related to research s/he would like to pursue.  The proposal includes key researchers, scope of work and budget. | ||
| Office of Research Administration Grants | Research Institutional Proposal | University internal | Institutional record for a Proposal after submission to sponsor. Maintains proposal, sponsor, and award information. Includes proposals created via Proposal Log document. | Funding level proposed,Funding source,Intellectual and financial credit splits,Lead units involved in the research,Principal investigators and key persons names,Proposal documents,Title of proposal/study | The Proposal Development form routes to all IU approvers and then is marked final, which generates an Institutional Proposal record.  This is used to provide standard institutional reports. | ||
| Office of Research Administration Grants | Research Award | University internal | Data related to proposals that have been awarded funds via a designated sponsor. Includes information regarding subawards/subcontractor and subreceipients. | Detailed Award Budget tool,F and A rates,Currently available funds (obligated), future funding (anticipated),Development Proposal provides Award Budget details, Subaward; Terms and Conditions ,Direct and Indirect (optional) funding levels,Funding level proposed,Funding levels,Funding source,Institutional Proposals as Funding source,Intellectual and financial credit splits,Lead units involved in the research,Links to other Modules,Principal investigators and key persons names,Proposal documents,,Required approvals for equipment,Required approvals for foreign travel,Subawards,Title of proposal/study | NSF awards IU a grant based on the proposal submitted. IU records the information in the Award. | ||
| Office of Research Administration Grants | Research Negotiations | Restricted | Allows the sponsored programs office to manage negotiations for a proposed research project or for other locally defined activities, such as Material Transfer Agreements, Proprietary Information Agreements, or Non-Disclosure Agreements. | Agreement type,Electronic documents,Negotiator names,Principal investigator names,Sponsor,Start and end dates of negotiation,Status | We record our actions related to the proposal we submitted, and the award we eventually received.  We tracked specific measures to allow us to run metrics (days required to negotiate a contract; days to set up an account, etc.) | ||
| Office of Research Administration Grants | Research Questionnaires | University internal | Questions related to the proposal | Certifying responsibility for the research to be conducted,Eligibility of principal investigator to conduct research via a federal entity,Regarding conflict of interest,Regarding whether application is to be submitted to a federal or federal pass-thru sponsor | The faculty member answers questions related to the project, such as if new space is needed, or if cost share is required. The faculty member answers questions to certify various statements. | ||
| Office of Research Administration Grants | Research Subawards | University internal | Questions related to the subaward | Budget,Co-PIs,Information related to subawards provided to other institutions,Lead unit,Timeframes,Title | IU receives an award from NSF, and subawards a portion of the funds to Purdue to collaborate with the researcher. | ||
| Research Compliance | Committee Membership | Restricted | Research Committee membership data | Names,Contact information,CVs/Resumes,Specialities,Conflicts of interest,Gender (Institutional Review Board members only) | |||
| Research Compliance | COI Disclosure Status | University internal | Completion Status of individuals' disclosure for Conflict of Interest purposes | Date of completion,Name,Status (e.g. complete, pending, incomplete) | Other university offices need to ensure completion of requirement. | ||
| Research Compliance | Human Subjects (IRB) Records | Restricted | IRB Records: Records documenting the IRB review of research protocols, including considerations and determinations. | Participant complaint tracking log,Records of Amendments,Renewals and other incidents reported to the IRB during the course of the research protocol being conducted | Code of Federal Regulations: Title 45: Public Welfare, Department of Health and Human Services; Part 46: Protection of Human Subjects | ||
| Research Compliance | COI Disclosures | Restricted | Research related financial Conflict of Interest Disclosures, COI Committee Documents, COI Management Plans | Annual disclosure required for all persons involved in the design, conduct and reporting of research,Committee Minutes and determinations,Department,Entities outside of IU,Financial entities, Management plans or best practices memos approved by COI committees for mitigating financial conflicts of the investigator and the research,Role at university,Travel reimbursements and dollar amounts in ranges,Username | UA-17: Conflicts of Interest and Commitment | ||
| Research Compliance | Quality Improvement - Human Subjects Research Auditing | Critical | Audit records and reports may contain details about protocol deviations, IRB protocols, Reportable and non-reportable noncompliance, including subject level PHI such as name, DOB, MRN and details about study procedures completed by the individual, including outcomes. Audit records may also contain information from financial Conflict of Interest Management Plans for members of the research team | HIPAA Privacy Rule | A Human Subjects Auditing program is required for accreditation of IU's Human Research Protection Program and to meet the contractual obligations to serve as the IRB of record for other institutions. | IU HRPP Policy - Auditing | |
| Research Compliance | Radiation Safety Committee Documents | University internal | Radiation Safety Committee (RSC) Documentation | Meeting minutes and determinations,Reviews of Occupational Health and Safety Programs- staff exposure to radiation | Protect IU: Environmental Health & Safety | ||
| Research Compliance | Research Integrity Case files | Restricted | Research Integrity Case files (allegations, inquiries, investigations, and outcome/ determinations) | Correspondence from complainant and respondent,Deciding official ,Review and feedback from committee | Conducting Research Responsibly | Minimum necessary access to these data granted by the Research Integrity Officer. | Research Misconduct, ACA-30 |
| Research Compliance | Research Integrity Sequestered Data (PHI) | Critical | Sequestered Data from respondents in allegations | Electronic and paper copies,Hard drives,Medical records,Research Data | HIPAA Security Rule | ||
| Research Compliance | Research Compliance Training Records | University internal | Responsible Conduct of Research, other course completion | Collaborative Institutional Training Initiative (CITI) records,Educational Opportunities records and rosters | |||
| Research Compliance | Export Controls | Restricted | Disclosure of technology, software or other items that cannot be shipped or carried abroad by researchers. | Description of researchers' technology or product that must be secured,Other handling procedures | Department of Commerce’s Export Administration Regulations (EAR) Department of State’s International Traffic Administration Regulations (ITAR) | ||
| Research Compliance Protocols | Animal Care and Use (IACUC) | Restricted | Protocols and Committee Documents - Animal Care and Use | Locations or room numbers housing animals used in research,Minutes from Committee Meetings and documentation of review and determinations,Research protocols listing personnel involved in the research,Research procedures and data collection methods,Species of animals | Rationale: Access should be controlled due to location and animal information. | RP-11-001: Care and Use of Vertebrate Animals in Research and Education Research-Related Policies | |
| Research Compliance Protocols | Biosafety | Restricted | Protocols and Committee Documents - Biosafety | Could include IACUC or IRB protocol data,Locations of research,Minutes from Committee Meetings and documentation of review and determinations,Research procedures and data collection methods,Research protocols listing personnel involved in the research | Rationale: Identifying locations could include Animal use areas, select agents in use and other hazardous biologicals. | IUEHS-45: Biosafety Manual (IU Login Required) Research-Related Policies | |
| Research Compliance Protocols | Radiation Safety Committee Protocols | University internal | Radiation Safety Committee (RSC) Protocols | IRB protocols,Locations and dosimetry calculations,Procedures involving radiation | Protect IU: Environmental Health & Safety | ||
| Research Compliance Protocols | Human Subjects (IRB) Protocols | University internal | IRB Protocols: Research protocols listing personnel involved in the research and research procedures. | Research Procedures and data collection methods (including identification of drugs and devices),Risks and protection procedures | Code of Federal Regulations: Title 45: Public Welfare, Department of Health and Human Services; Part 46: Protection of Human Subjects | ||
| Research Data | Default | Restricted | Any information used within the context of a specific research to answer research questions; Per 2 CFR 200.315 "(3) Research data means the recorded factual material commonly accepted in the scientific community as necessary to validate research findings, but not any of the following: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews, or communications with colleagues. This “recorded” material excludes physical objects (e.g., laboratory samples). | Survey data associated with human participants Interviews or focus groups Behavioral data about human participants Observational data about human participants Analysis of specimens | 2 CFR Part 200 | Classifying research data can be complicated and context dependent. The default classification for research data at IU is restricted. To make the case for re-classifying a research data set as public data, you need to provide a clear rationale or describe how all protected data elements have been removed from the data set.For assistance, see the article How to classify research data. | |
| Research Data | Research Data Related to Trade Secrets and Commercialization | Restricted | Any information used within the context of a specific research to answer research questions; Per 2 CFR 200.315 ""(3) Research data means the recorded factual material commonly accepted in the scientific community as necessary to validate research findings, but not any of the following: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews, or communications with colleagues. This “recorded” material excludes physical objects (e.g., laboratory samples). | Electronic and paper files containing research data Hard drives containing research data related to the project Lab notebooks Research protocols used to generate research data | 2 CFR Part 200 | Classifying research data can be complicated and context dependent. The default classification for research data at IU is restricted. To make the case for re-classifying a research data set as public data, you need to provide a clear rationale or describe how all protected data elements have been removed from the data set.For assistance, see the article How to classify research data. | DM-01: Management of Institutional Data UA-23: Intellectual Property: Copyrightable Works UA-24: Intellectual Property: Inventions and Patents ACA-30: Research Misconduct |
| Research Data | Research Data Related to Patent Applications | Restricted | Any information used within the context of a specific research to answer research questions; Per 2 CFR 200.315 "(3) Research data means the recorded factual material commonly accepted in the scientific community as necessary to validate research findings, but not any of the following: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews, or communications with colleagues. This “recorded” material excludes physical objects (e.g., laboratory samples). | Electronic and paper files containing research data Hard drives containing research data related to the project Lab notebooks Research protocols used to generate research data | 2 CFR Part 200 | Classifying research data can be complicated and context dependent. The default classification for research data at IU is restricted. To make the case for re-classifying a research data set as public data, you need to provide a clear rationale or describe how all protected data elements have been removed from the data set.For assistance, see the article How to classify research data. | DM-01: Management of Institutional Data UA-23: Intellectual Property: Copyrightable Works UA-24: Intellectual Property: Inventions and Patents ACA-30: Research Misconduct |
| Research Data | Research Data Received by IU and Subject to a Data Use or Sharing Agreement | Restricted | Any information used within the context of a specific research to answer research questions; Per 2 CFR 200.315 "(3) Research data means the recorded factual material commonly accepted in the scientific community as necessary to validate research findings, but not any of the following: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews, or communications with colleagues. This “recorded” material excludes physical objects (e.g., laboratory samples). | Restricted use data sets from government Commercial data sets Data scraped from social media platforms Limited data sets (under HIPAA) | 2 CFR Part 200 | Classifying research data can be complicated and context dependent. The default classification for research data at IU is restricted. To make the case for re-classifying a research data set as public data, you need to provide a clear rationale or describe how all protected data elements have been removed from the data set.For assistance, see the article How to classify research data. | |
| Research Data | Research Data Containing Critical Data Elements | Critical | Any information used within the context of a specific research to answer research questions; Per 2 CFR 200.315 "(3) Research data means the recorded factual material commonly accepted in the scientific community as necessary to validate research findings, but not any of the following: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews, or communications with colleagues. This “recorded” material excludes physical objects (e.g., laboratory samples). | Research data containing participants' Personally Identifiable Information (PII), Personal Health Information (PHI), or other sensitive data that could cause harm to participants if made public, Date of birth Phone number Address Criminal activity Audio and Video recordings of human participants Photographs and Geolocation of human participants | 2 CFR Part 200 The Common Rule (45 CFR 46) HIPAA Privacy Rule official versions at 45 C.F.R. Part 160, Part 162, and Part 164 | Classifying research data can be complicated and context dependent. The default classification for research data at IU is restricted. To make the case for re-classifying a research data set as public data, you need to provide a clear rationale or describe how all protected data elements have been removed from the data set.For assistance, see the article How to classify research data. | DM-01: Management of Institutional Data DM-02: Disclosing Institutional Information to Third Parties UA-23: Intellectual Property: Copyrightable Works UA-24: Intellectual Property: Inventions and Patents ACA-30: Research Misconduct |
| Research Data | Public access research data | Public | Any information used within the context of a specific research to answer research questions; Per 2 CFR 200.315 "(3) Research data means the recorded factual material commonly accepted in the scientific community as necessary to validate research findings, but not any of the following: preliminary analyses, drafts of scientific papers, plans for future research, peer reviews, or communications with colleagues. This “recorded” material excludes physical objects (e.g., laboratory samples). | Data on the tissue effects of musculoskeletal resulting from osteoporosis and chronic kidney disease Data on water samples in Indianapolis waterways Field data from an ecological study of birds Genomic sequences for animal species Scholarly publication metadata Metadata about data sets | 2 CFR Part 200  Office of Science & Technology Policy 2013 Memorandum on Public Access to the Results of Federally Funded Research  SPARC Data Sharing Requirements by Federal Agency | Classifying research data can be complicated and context dependent. The default classification for research data at IU is restricted. To make the case for re-classifying a research data set as public data, you need to provide a clear rationale or describe how all protected data elements have been removed from the data set.For assistance, see the article How to classify research data. | DM-01: Management of Institutional Data UA-05: Intellectual Property Policy ACA-30: Research Misconduct |
| Student | Directory Information | Public | General academic information about a student or academic program or classes that may appear in public documents and may be released to the public without student consent unless the student requests non-disclosure through the Registrar's office. | Student Name ,Major,Degree,Dates of Attendance,Campus,School,Class Standing (e.g. sophomore),Awards,Sports,Schedule of Classes,Course catalog,Username,IU E-mail address | Family Educational Rights and Privacy Act (FERPA) | This is a"may release" not default release; student can file to restrict disclosure which changes the classification from public to restricted. | VPSO-05: Student Rights Under FERPA and Release of Student Information |
| Student | Admission Records | Restricted | Records collected for admission to the university restricted to school officials that require the information for their job responsibilities. | Admission application data,High school data,Letters,Placement scores,Residency classification,SAT and other entrance exam test scores,Transfer articulation,Transcripts from high schools and other universities (that do not contain SSN or other critical data) | |||
| Student | Academic-Education Records (FERPA) | Restricted | Academic, advising, and biodemographic records that are directly related to the student, maintained by the institution, and restricted to those school officials with legitimate educational interest | Academic transcript,Advising records,Class recordings,Class rosters,Class schedule,Degree maps and progress reports,Exam and assignment grades,Faculty grade book,Financial aid resources,GPA,Holds,Payment history,Personal characteristics (ethnicity, date of birth, marital status, military status etc.),Registration and enrollment records,Residency,SAP,Scholarships,Student bills,Student conduct and disciplinary records | |||
| Student | Financial Account Information, Financial Aid FAFSA, Student Loan Applications (GLBA) | Critical | Records related to financial accounts, credit card numbers, or federal information containing SSN, driver's license and parent tax information considered highly sensitive | Bank routing and account information,Credit card account information,FAFSA with SSN and driver's license,Parent tax information,Loan documents containing SSN | Gramm Leach Bliley Act (GLBA) Family Educational Rights and Privacy Act (FERPA) Indiana state data protection laws | For sending (transmitting) data sets of 100+ records, use the Secure Share (replacing Slashtmp) or the CSEES (formerly CRES) to ensure encryption.  Work with your local service provider to identify appropriate storage services for data sets containing data on 1000 or more students. | VPSO-05: Student Rights Under FERPA and Release of Student Information |
| Student | Student Life, Services, Housing | Restricted | Data collected and maintained for student activity and services such as on-campus living, parking operations, career services, exercise facilities (SRSC) student activities and clubs. | Career planning files, including placement information and employers' files,Co-curricular transcript,Event attendance tracking,International programs and services files,Probation information | Family Educational Rights and Privacy Act (FERPA) | For sending (transmitting) data sets of 100+ records, use the Secure Share or the Office Message Encryption to ensure encryption. Work with your local service provider to identify appropriate storage services for data sets containing student data on 1000 or more students. Attendance tracking data becomes critical if provided in real time. | VPSO-05: Student Rights Under FERPA and Release of Student Information |
| Student | Student Health - Admin | Restricted | Individually identifiable health information directly related to a student and maintained by the University for administrative purposes; included in the student education record. | Doctor's note for reduced course work,Immunization records, Physicals including those for athletes | Family Educational Rights and Privacy Act (FERPA) | For sending (transmitting) data sets of 100+ records, use the Secure Share or the Office Message Encryption services to ensure encryption. Work with your local service provider to identify appropriate storage services for data sets containing student data on 1000 or more students. If a person is an employee and a student, the subdomain is determined by the reason the health information was collected. Health information required and collected based on the individual's role as a student would fall under this subdomain, even if the individual is also employed by IU (e.g. immunizations, athletic physicals, etc.). | VPSO-05: Student Rights Under FERPA and Release of Student Information |
| Student | Student Health - Clinical | Critical | Individually identifiable health information directly related to a student, collected by a healthcare provider acting on behalf of the University pertaining to and used for treating students enrolled at IU, included in the student treatment record. This includes records maintained by IU student health centers and student counseling programs. | Appointments,Medical records,Treatments,Diagnoses,Diagnostic tests,Plan of care,Dates of service,Mental health records,Drug and alcohol abuse records | FERPA and state law HIPAA does not apply | For sending (transmitting) data sets of 100+ records, use the Secure Share or the Office Message Encryption services to ensure encryption. Work with your local service provider to identify appropriate storage services for data sets containing student data on 1000 or more students. Record is used for the sole purpose of treating the student and are not available to anyone other than the student and the persons providing such treatment. | VPSO-05: Student Rights Under FERPA and Release of Student Information |
| Student PII - Personally Identifiable Information | Sensitive Identifiers | Critical | Education records collected at Admissions or during the course of enrollment directly related to  the student that contain highly sensitive personally identifiable identifiers protected by the Indiana State Data Protection laws and FERPA | Banking information,Biometrics (i.e. finger print, hand scan, full facial scan),Credit card information,Driver's License number,Personal health information,,SEVIS number,Social Security Numbers,Visa number | Indiana Code 4-1-10: Release of Social Security Number Gramm Leach Bliley (GLBA) Family Educational Rights and Privacy Act (FERPA) | Only for legally required identification. Don't use, publish, copy, download, share, transmit.  Restrict view access to least privilege. | DM-01: Management of Institutional Data |
| Student PII - Personally Identifiable Information | University Assigned Identifiers | University internal | University ID Numbers | Family Educational Rights and Privacy Act (FERPA) | Available to those who manage, teach and administer classes and to decision-makers for analysis and planning. Should not be released to third parties without written consent from the owner of that data; For sending (transmitting) data sets of 100+ records, use safe techniques for file transfer such as Microsoft Teams or Secure Share. | DM-01: Management of Institutional Datal | |
| Student PII - Personally Identifiable Information | Personal Demographics | Restricted | Personal or historical characteristics about an individual protected by FERPA. | Last 4 digits of SSN,Country of citizenship,Date of birth (except in the Health Domain),Ethnicity,Gender,Home address,Home and cell phone,Pronouns,Marital status,Military status,Residency | Family Educational Rights and Privacy Act (FERPA) | DM-01: Management of Institutional Data | |
| Travel | General Travel and Trips | Restricted | Information about trips taken on behalf of IU, can include students | Contact info,Travel plans,Hotel reservations,Dates of travel,Reimbursement | Subject to open records law. FERPA applies for student travel paid for by IU. | ||
| Travel | Future Dated Trips | Restricted | Information about trips to be taken on behalf of IU, more sensitive because of identification/location information | Contact info,Dates of travel,Location of travel,Estimated costs,Registration | Subject to open records law | Restricted to University travel administrators | |
| Travel | Past Dated Trips | Restricted | Internally sensitive due to perceived equity issues | Contact info,Dates of travel,Location of travel,Costs, Hotel,Registration,Attendance,Reimbursement | Subject to open records law | Restricted to Departmental Fiscal Officer | |
| Learning Management | Student-LMS data | Restricted | Individual identifiable learning management information directly related to a student and maintained by the university | Class roster,Exam and assignment grades,Personal characteristics,Course grade,Instant messages and emails,Class recordings | Family Educational Rights and Privacy Act (FERPA) | DM-01: Management of Institutional Data | |