Critical Data Guide

Personally identifiable information (PII) is any information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information. Some PII is not sensitive, such as full name and email. Other elements can be considered more sensitive, which could result in substantial harm to an individual, including: 

• Identification Numbers: SSN, driver's license, passport, etc. 
• Financial information: Bank account numbers, credit & debit card numbers, student loan or billing information.
• Government-Issued IDs: Driver’s license numbers, State ID card numbers, Passports, and International Visas.
• Protected Health Information (PHI): medical records, billing information, and any other details that could identify a patient. Learn more in the section about Critical Health Data.
• Location Information for research purposes.
• Account credentials: Passwords, passphrases, PINs, security codes, and access codes.
• Biometric Identifiers: Fingerprints, Face ID, eye scans, etc.
• Other: information that is linked or linkable to an individual such as medical, educational, financial, and employment information 

Given the potential for misuse and harm to the individual in the event of unauthorized access, it is important to store PII in approved locations and limit the collection to what is required.

The Family Educational Rights and Privacy Act (FERPA) generally prohibits the disclosure of student education records once a student starts attending a university. Student data protected by FERPA already requires extra precautions, however the most sensitive types of data are classified as critical: 

• Financial Information: Bank account numbers, credit & debit card numbers, federal student aid (FAFSA), parent tax information, loan or billing information.
• Student Health: - individually identifiable health information used for treating students, records maintained by IU student health centers and student counseling programs.
• Sensitive Identifiers: Admissions records, biometrics, driver’s license, passports, visa, SSN. 

For more information, visit the FERPA website or contact the student data steward at datastu@iu.edu.

Like students, it is crucial to protect the information that belongs to the staff, faculty, and all employees at IU. Data collected as part of the employment process can be highly sensitive and may be protected by Indiana State data protection laws: 

• Health Data (not covered by HIPAA): Job-protected leave (FMLA), Worker's comp, disability/ADA claims.
• Human Relations: Case files, termination letters.
• Eligibility and Verification Records: I-9 forms and supporting documentation (copy of passport, driver's license, visa), personal profile form.
• Sensitive Identifiers: See PII section above. 

For more information about staff data, contact the staff data steward at lkress@iu.edu.

For more information about faculty data, contact the faculty data steward at aknshah@iu.edu.

The Health Insurance Portability and Accountability Act (HIPAA) imposes numerous, strict privacy and security requirements on individually identifiable health information. Health records and payment details related to healthcare services that are managed by a covered entity fall under Protected Health Information:

• Identifiable Dates: Date of birth, service time, appointment times, time of death.
• Identifiable Numbers: Account, license plate, SSN, insurance ID.
• Unique Physical Features: Biometrics, tattoos, achievements (i.e., world’s tallest person).
• Demographics Attached to Health Data: Name, home address, contact information, photos.
• Medical Records: Tests & diagnoses, treatments, surgeries.
• Other Records: Drug and Alcohol Abuse, Sexually Transmitted Diseases (e.g. HIV), and Mental Health Status. 

The vast majority of IU units should maintain no PHI whatsoever. For more HIPAA information, visit the HIPAA Privacy & Security website or contact the health data steward at hipaa@iu.edu.

Examples of services or activities that IU may offer which result in the creation of customer information covered under GLBA could include but are not limited to: 

• Financial Aid: federal aid (FAFSA) and demographic data related to the borrower, tax returns for verification.
• Payroll: Direct deposit, banking information, SSN.
• Bank Balancing: bank transaction history, bank statements, general ledger activity.
• Employee, Student, and Vendor Information: Data collected for governmental taxation requirements (e.g. - Federal, State, Local withholding and tax treaty benefits for payments to a foreign student, employee, or vendor.
• Other electronic payments made to IU.

In addition to data regulated by FERPA and HIPAA, other common examples of protected research data include participant PII or PHI. There are special considerations to consider in addition to personal or health data. SecureMyResearch provides self-service resources and one-on-one consulting to help IU researchers, faculty, and staff meet cybersecurity and compliance requirements for processing, storing, and sharing regulated and unregulated research data.  

For more information, visit the Research Data Commons or email the research data steward at hcoates@iu.edu.