Directly sharing or providing critical information elements to a person outside IU — verbally, on paper, or electronically — is a disclosure.
Information disclosure may also take place when: a computer upon which information is stored is compromised or stolen, information is made available online or via an external application, paper records with the information are disposed in an unsecure manner, or computer media is disposed in an unsecure manner.
Authorized disclosures
Sharing or disclosure of critical information is sometimes necessary, or even required by law, to complete a business transaction. Even so, be sure to evaluate and document the authorization appropriately:
- Ensure that a recently reviewed contract (through IU Purchasing) is in place to oversee the sharing agreement.
- In many instances, particularly when a SSN is included, you need to obtain an individual’s express written consent for sharing or disclosure. Documents should expressly indicate that their SSN is being disclosed.
- Requests/demands from law enforcement, or from the public under the Indiana Access to Public Records Act, should be forwarded to the Office of the Vice President and General Counsel immediately.
- All disclosures must comply with Policy DM-02, Disclosing Institutional Information to Third Parties, which requires a University Information Security Office review and Data Steward approval for the disclosure of critical data.
Unauthorized disclosures
If at any time you think critical information has been disclosed or exposed without authorization, immediately report an emergency IT incident.
If the incident involves a possibly compromised computer, do not use the system. This means you should not do a network scan of the system, run antivirus software, patch the system, reboot, unplug any cables, or power off the system. Taking these actions will destroy important forensic data. Instead, wait for instructions from the Policy and Security Offices.