This guideline covers all data produced, collected or used by Indiana Wesleyan University, its employees, student workers, consultants or agents during the course of University business. For the purposes of this guideline when IWU is listed it is referencing Indiana Wesleyan University.
All data covered by the scope of this guideline will be classified by one of the following classification types:
- IWU Protected data
- IWU Sensitive data
- IWU Public data
IWU Protected data
IWU Protected data are any data that contains personally identifiable information concerning any individual and is regulated by local, state, or Federal privacy regulations, or by any voluntary industry standards or best practices concerning protection of personally identifiable information that Indiana Wesleyan University chooses to follow.
These regulations may include, but are not limited to:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standards (PCI-DSS)
Examples of some of the types of data that are regulated are listed in the ‘Related Information’ section of this guideline.
IWU Sensitive data
IWU Sensitive data are any data that is not classified as IWU Protected data, but which is information that IWU would not distribute to the general public. This classification is made by the department originating the data. Examples of the types of data included are:
- Budgetary, departmental, or University planning information. Non-public financial, procurement, health/safety, audit, insurance and claims information
- IWU Network ID
- Proprietary intellectual property in which the University asserts ownership that is created by University employees in connection with their work.
- Information, materials, data and records designated confidential by contract, including information obtained by the University from third parties under non-disclosure agreements or any other contract that designates third party information as confidential.
IWU Public data
IWU Public data are any data that IWU is comfortable distributing to the general public. For department-specific data, this classification comes from the department. If datum is created jointly by more than one department, the involved departments should jointly classify the data. If they are unable to come to a consensus, then the data must be classified as IWU Sensitive Data. For University-wide data, this classification can only come from the Office of the President. Examples of the types of data included are: department faculty lists, press releases, and the IWU web site.
Any IWU data that does not contain personally identifiable information concerning any individual, is not covered by any local, state, or Federal regulations or is not IWU Protected data or IWU Sensitive data, will be classified as IWU Public data.
Reason for the Guideline
The purpose of this guideline is to identify the different types of data, to provide examples for each type of data, and to establish the default classification for data. The classification of IWU data are critical for applying the requirements associated with each type of data in terms of where it can be stored, how it can be transmitted, and how institutional data is to be protected. This guideline will be referenced in the Data Storage and Transmission Guideline.
All questions related to the correct classification of data should be directed to the Business Affairs office at ext. 2605.
The information below is provided to clarify, by example, the varying levels of data within the protected data category.
IWU Protected Data
Listed below are examples of types of personally identifiable information that are generally protected by local, state, or Federal privacy regulations. These examples are not an exhaustive list of all possible types of information that are protected by local, state, or Federal privacy regulations.
- Social security numbers
- Credit card and debit card numbers
- Bank account numbers and routing information
- Driver’s license numbers and state identification card numbers
- Student education records
- Bursar's Office
- Student account files and Perkins loan information
- Departments and Colleges:
- Academic advising records, admission files, including ACT, SAT and TOEFL scores, and high school and college transcripts and other scholastic records
- Financial Assistance:
- Financial assistance application files, student federal work-study information, scholarships and Stafford loan information
- Intercollegiate Athletics:
- Injury reports, scholarship contacts, performance records, height and weight information
- Registration and Records:
- Permanent record of academic performance (grades, transcript, including supporting documents), course schedules
- Residence Life:
- Residential life and housing services files
- Student Life:
- Student activity files, student disciplinary files, multi-cultural programs and services files, and intramural sports files
- Student Services:
- Career planning files, including placement information and employers' files, international programs and services files
- Undergraduate Admission and other admission offices:
- Admission files on prospective students
- University Library:
- Circulation records
- Personal health records
- Patient information:
- addresses, dates, telephone/fax numbers, social security numbers, medical records numbers, patient account numbers, insurance plan numbers, vehicle information, license numbers, medical equipment numbers, photographs, fingerprints, e-mail and Internet addresses
Note: Personal health records stored in education records are subject to FEPRA and are excluded from HIPAA.
FERPA is a Federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA provides students with the right to inspect and review certain education records maintained by the school and to request corrections if the records are inaccurate or misleading. It requires that schools obtain written permission before releasing information from a student’s education record. It also allows schools to publish certain “directory” information about students, unless the student has requested that the school not do so.
Additional information can be found at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
GLBA protects consumers’ personal financial information held by financial institutions. It requires that financial institutions provide customers with a privacy notice explaining what information is collected, how it is used, and how it is protected.
The penalty for failing to comply with GLBA is a fine of up to $100,000 for the institution and of up to $10,000 for the officers and directors of the institution.
Additional information can be found at http://www.ftc.gov/privacy/privacyinitiatives/glbact.html .
HIPAA protects the privacy of Protected Health Information (PHI). It establishes regulations for the use and disclosure of PHI, including a patient’s health status, provision of health care, medical records or payment history.
Penalties for wrongfully disclosing PHI range from a $50,000 to a $250,000 fine and a one year to a ten year prison term, depending on the circumstances. These fines are for the individual, not the institution.
Additional information can be found at http://www.hhs.gov/ocr/hipaa/ .
Payment Card Industry Data Security Standards (PCI-DSS)
PCI DSS is an industry standard which protects credit card customer account data. It requires specific control objectives be met by any organization that accepts credit cards for payment. These control objectives include secure network, server, and desktop standards, as well as procedures to ensure that credit card data is properly protected during the transaction.
Failing to comply with PCI DSS can result in significant fines. Credit card providers can fine merchants up to $500,000 per compromise when the merchant was not compliant at the time of the compromise. Merchants may also be banned from accepting certain types of credit cards. Additional information can be found at https://www.pcisecuritystandards.org/tech/index.html
06-12-2018 Information Security Officer