IU Policy DM-02 "Disclosing Institutional Information to Third Parties" requires that a department take proactive steps when working with a third party to share, collect, or access IU’s institutional data. These steps must allow all parties involved to be aware of and reduce the risks associated with sharing the information. The Data Stewards have partnered with the University Privacy and Security Offices to offer a service which evaluates third parties and provides an assessment to help units meet the requirements to comply with IU policy and privacy legislation.
This assessment MUST be completed prior to sharing any institutional data with the third party. This assessment offers:
- A review of the data classification and contract requirements based on the data to be shared with the third party.
- A review of the privacy policy of the third party to ensure they are not collecting data without our knowledge, claiming data ownership, or sharing it with other third parties without our approval.
- A review of the data requested to ensure it meets regulation requirements and has a legitimate educational interest.
- If Personally Identifiable Information (PII), restricted, or critical data are involved it will include a review of the vendor’s Higher Education Community Vendor Assessment Toolkit (HECVAT) submission. This survey is given to assess the third parties’ security readiness.
While the university recognizes the need to share institutional information with third parties to accomplish its mission, we recommend using the service to reduce the risks to your unit and to the institution. While a common use case for sharing data with a third party may be to share with a vendor offering an IT software or service, other purposes may include: auditing, research, partnering with an organization to assess institutional effectiveness or sharing contact information or specific academic performance data with federal and state officials.