Sharing and disclosing

Disclosure

Directly sharing or providing critical information elements to a person outside IU — verbally, on paper, or electronically — is a disclosure.

Information disclosure may also take place when:

  • A computer upon which information is stored is compromised or stolen
  • Information is made available online or via an external application
  • Paper records with the information are disposed in an unsecure manner
  • Computer media is disposed in an unsecure manner

Authorized disclosures

Sharing or disclosure of critical information is sometimes necessary, or even required by law, to complete a business transaction. Even so, be sure to evaluate and document the authorization appropriately:

  • Ensure that a recently reviewed contract (through IU Purchasing) is in place to oversee the sharing agreement. Note: Contracts signed prior to 2006 must be updated to include new standard language.
  • In many instances, particularly when a SSN is included, you need to obtain an individual’s express written consent for sharing or disclosure. Documents should expressly indicate that their SSN is being disclosed.
  • Requests/demands from law enforcement, or from the public under the Indiana Access to Public Records Act, should be forwarded to the Office of the Vice President and General Counsel immediately.
  • All disclosures must comply with Policy DM-02, Disclosing Institutional Information to Third Parties, which requires a University Information Security Office review and Data Steward approval for the disclosure of critical data.

Unauthorized disclosures

If at any time you think critical information has been disclosed or exposed without authorization:

1. Immediately call the following in order — no matter what time of day or night (or weekday, weekend, or holiday) — until you reach someone:

  • UIPO/UISO: (812) 855-8476 (during normal business hours)
  • UITS Network Operations Center: (812) 855-3699 (24x7)
  • UITS Support Center: (812) 855-6789 (after hours)

2. Send details to: it-incident@iu.edu

The Information Policy and Security Offices will coordinate a response.

If the incident involves a possibly compromised computer, do not use the system. This means you should not do a network scan of the system, run antivirus software, patch the system, reboot, unplug any cables, or power off the system. Taking these actions will destroy important forensic data. Instead, wait for instructions from the Policy and Security Offices. For more information, see the Report an Incident page.