Disclosing Institutional Information to Third Parties

Scope

All agents of the university who have a need to disclose institutional information to a third party.

Back to top

Policy Statement

All agents of the university who have a business need to disclose university institutional information to a third party must be aware of and take proactive steps to reduce the risks associated with the sharing of that information.

Back to top

Reason for Policy

The university has a responsibility to exercise prudent stewardship over the information with which it has been entrusted, and certain information is subject to additional legal and contractual requirements.

The university also recognizes the need to share institutional information with partners to accomplish its mission and that, when disclosing this information, the university must exercise due care. Furthermore, to ensure compliance with applicable federal and state laws, regulations, and university policies, it is vital to evaluate and approve the ability of third parties to appropriately handle and protect information before information is shared.

This policy will assist the university in managing the risks inherent in the disclosing of institutional information.

Back to top

Procedures

Prior to disclosing institutional information, the agent is responsible for initiating and managing the process below to ensure that:

• There is an adequate understanding of the third party’s security environment;
• Business needs, risks, and mitigating safeguards are analyzed and documented; and
• Institutional information is adequately protected.

1. If the information to be shared with, or added to or collected by the third party is classified as public, the agent must:
   1. For situations involving the purchase or acquisition of goods and services, seek advice from the appropriate Data Steward(s) and the Purchasing Department on relevant procedures.
   2. If the request is made pursuant to the Indiana open records statute, or for other situations, contact the Office of the VP and General Counsel.
2. If the information to be shared with, or added to or collected by the third party is classified as university-internal or restricted, the agent must:
   1. Seek advice from the appropriate Data Steward(s) and, as appropriate, the Office of the VP and General Counsel: there may be a need for an agreement, memo of understanding, or other documentation in disclosing information with third parties.
   2. For situations involving the purchase or acquisition of goods and services, consult with the Purchasing Department to ensure that an appropriate agreement (i.e. contract, memo of understanding, etc.) with the third party is in place and that it contains the appropriate data security protection language.
3. If the information to be shared with, or added to or collected by the third party is classified as critical, the agent must:
   1. Initiate a data security review of the third party’s ability to appropriately handle and protect the shared information.  See Protect.iu.edu for process. The data security review will include:
      1. Completion of a data security questionnaire,
      2. Review by the University Information Security Office (UISO), and other parties as deemed appropriate by the Data Stewards and
      3. Approval by the Data Steward responsible for the institutional information involved, or for situations where data does not clearly fall within the scope of a Data Steward, approval by the Office of the VP and General Counsel.
   2. Seek advice from the appropriate Data Steward(s) and, as appropriate, the Office of the VP and General Counsel: there may be a need for an agreement, memo of understanding or other documentation in disclosing information with third parties.
   3. For situations involving the purchase or acquisition of goods and services, consult with the Purchasing Department to ensure that an appropriate agreement (i.e. contract, memo of understanding, etc.) with the third party is in place and that it contains the appropriate data security protection language.
4. The appropriate Data Steward(s), the Office of the VP and General Counsel, or the Purchasing Department may require a data security review for any situation which in their professional judgment warrants further review.
5. In some cases the university may be required to share information in compliance with applicable law regardless of the third party’s willingness to address risks raised by the university’s security review, and/or enter into an agreement with the university, and/or due to a compressed timeline. In such situations, the law requiring disclosing, the security concerns raised, and the response of the third party should be documented.  Consult the Office of the VP and General Counsel regarding any legal compliance issues.

Back to top

Definitions

Disclosing information – Data can be shared with a third party in many ways including:

1. Access to information: examples include gaining entry through either the IU network or internet  hosted application that requires authentication; logging into PayPal or OneStart portals, IUIE, SIS/HRMS or other systems to view/obtain/use the data therein;
2. Acquisition of existing data: examples include subscribing to databases containing critical information, receiving information collected by a third party. This type of data will rarely become institutional information for the purposes of this policy;
3. Collection of new data: examples include account creation that requires user information; web forms filled out by students, staff or public; payment transactions; registration for classes or training sessions;
4. Disposal of information: examples include shredding, incinerating, or otherwise destroying records; secure data deletion; disk and memory wiping. 
5. Maintenance of information: examples include warehousing paper or electronic records at a third party site; using a hosted platform provider to store institutional information; email outsourcing;
6. Storage of Information: examples include POS unit for credit card sales, archiving electronic or paper records either on or off-site; saving electronic files to a server either at IU or at a vendor location;
7. Transmission of information: examples include courier service for delivery of sensitive documents or files; electronic file saved to a vendor location; transporting of medical records electronically among health care providers and/or insurers; saving, uploading, downloading or viewing information on a network; POS systems which accept and send credit card data; vending machines which accept and send credit card data to process transactions;
8. Use of information: examples include accessing institutional information to generate queries or reports; using data obtained from magnetic cards used for security systems or for payments; using health information  to provide services or process benefits requests; using SSN’s and other personally identifiable  information to access and print W2 forms.

Agents of the university – An individual authorized to act on behalf of the university and its affiliated organizations.  For purposes of this policy, the agent will generally be a faculty or staff member.

Third party – A separate legal entity that has a business, contractual, legal or other relationship with the university, approved external agencies, and affiliated organizations.

Back to top

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances, involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.

Back to top

Additional Contacts

Maintained and revised as necessary by the University Information Policy Office under the direction of approved data management committees.

Office of the Vice President for Information Technology
University Information Policy Office, uipo@iu.edu

Back to top

History

This policy was posted as under review from September 8th, 2015 to February 21st, 2018. Policy is now in effect. 

Revised September 8, 2015: Added item 4 to procedures, revised 3.1.3 for situations where this is no data steward for data being shared, and added consultation with Office of the VP and General Counsel to procedure item 5.

Draft policy moved to interim status October 16, 2014.

Back to top