Directly disclosing or providing critical information elements to a person outside IU — verbally, on paper, or electronically — is a disclosure. Sharing or disclosure of critical information is sometimes necessary, or even required by law, to complete a business transaction. Through IU policy DM-02: Disclosing Institutional Information to Third Parties, two processes have been designed to provide the necessary resources for departments to select solutions that meet their needs while minimizing threats to IU data:
Software and Services Selection Process (SSSP)
The SSSP is for requesting IT software and/or services related to the use of any software, storage, or applications intended for creating, processing, storing, securing, or exchange of electronic data. Cloud services that will host or access critical data require a security assessment by UISO and a review by the appropriate data stewards before a purchase can move forward.
Other Authorized Disclosures
In many instances, particularly when a SSN is included, you need to obtain an individual’s express written consent for sharing or disclosure. Documents should expressly indicate that their SSN is being disclosed.
Requests/demands from law enforcement, or from the public under the Indiana Access to Public Records Act, should be forwarded to the Office of the Vice President and General Counsel immediately.