Disclosing Institutional Information to Third Parties
All agents of the university who have a business need to disclose university institutional information to a third party must be aware of and take proactive steps to reduce the risks associated with the sharing of that information.
The university has a responsibility to exercise prudent stewardship over the information with which it has been entrusted, and certain information is subject to additional legal and contractual requirements.
The university also recognizes the need to share institutional information with partners to accomplish its mission and that, when disclosing this information, the university must exercise due care. Furthermore, to ensure compliance with applicable federal and state laws, regulations, and university policies, it is vital to evaluate and approve the ability of third parties to appropriately handle and protect information before information is shared.
This policy will assist the university in managing the risks inherent in the disclosing of institutional information.
Prior to disclosing institutional information, the agent is responsible for initiating and managing the process below to ensure that:
• there is an adequate understanding of the third party’s security environment;
• business needs, risks, and mitigating safeguards are analyzed and documented; and
• institutional information is adequately protected.
Disclosing information--Data can be shared with a third party in many ways including:
Agents of the university –An individual authorized to act on behalf of the university and its affiliated organizations. For purposes of this policy, the agent will generally be a faculty or staff member.
Third party -- A separate legal entity that has a business, contractual, legal or other relationship with the university, approved external agencies, and affiliated organizations.
Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances, involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.
Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.
This policy was posted as under review from September 8th, 2015 to February 21rst, 2018. Policy is now in effect.
Revised September 8, 2015: Added item 4 to procedures, revised 3.1.3 for situations where this is no data steward for data being shared, and added consultation with Office of the VP and General Counsel to procedure item 5.
Draft policy moved to interim status October 16, 2014.