IU frequently is required by law, industry practices, or business contracts to protect certain types of data. Key international, federal, and state data protection laws relevant to the operations of the university are collected on this page for easy reference.
See the Critical Data Guide for examples of data covered under these laws, as well as instructions on how to properly handle information covered by these laws.
The United States has introduced many federal data protection laws since first signing The Privacy Act of 1974. Examples include personal health information under HIPAA, student education records under FERPA, and payment card data under Payment Card Industry Data Security Standards (PCI DSS).
Outside the US, international laws also protect citizen information. For example, the European Union has a comprehensive data privacy law known as the General Data Protection Regulation (GDPR).
Key Indiana state laws related to data protection include the SSN Disclosure Law, the Data Disposal Law, the Data Breach Notification Law, and the Consumer Report Security Freeze Law.
The Attorney General for the State of Indiana is charged with interpreting and enforcing these laws. If the Attorney General concludes that a violation has occurred, the matter may be referred to local police and prosecutors.
Contact the Office of General Counsel for questions or best practice reviews about the laws.
Email uiso@iu.edu to request a security review or ask technical questions on how to protect data.
