About this policy
Date of last update:
04/15/2024What is Sensitive Data?
In general, sensitive data is information that can be damaging and/or violate privacy laws if it falls into the wrong hands. However, at IU the term sensitive data (or sensitive institutional data) has a specific and well-defined meaning. Furthermore, there are different classifications of sensitive institutional data as defined in the Classifications of Institutional Data document.
These include:
- Critical - This is the most sensitive classification and includes things like HIPAA-regulated medical data, student records like transcripts, banking information, social security numbers, and passport/visa numbers
- Restricted - This includes things like demographic information (age, gender, ethnicity, etc) and payroll information.
- University-internal - The most common piece of university-internal data is a person's University ID number but this classification also includes other IU internal things like position information and employment status
- Public - Information in this category is not restricted and includes publicly accessible information like names, titles, and compensation.
This is in no way intended to be a complete listing of all the sensitive data types. Rather, it is just a summary to give you a feel for the different classes of sensitive data. All IU employees should read and familiarize yourself with this Data Storage and Handling tool. Note that you can select the type of data, and the tool will tell you the classification and the approved, secure handling instructions.
Account and Mobile Device Security
Please see the KB page College IT Account Security Recommendations for information about securing your IU accounts and mobile devices so you are in compliance with IU security policies.
Sensitive Data and Email
Email Background
When you send an email, it typically goes across the network and is stored in what is called "clear text". What that means is that anyone with access to the network connection or files on the email server can read the email message. Encryption can be used to "scramble" the message so it cannot be read without a password. So, if sensitive information is sent using email, care must be taken to ensure that email leaving the IU mail system is encrypted. This page describes the mechanisms you can use to ensure the secure transmission of sensitive data via email so you are in compliance with IU security policies.
Critical Data
In most cases, you will want to avoid sending critical sensitive data via email if at all possible. This section applies only to non-critical sensitive data in the restricted and university-internal classifications (see previous section). If you have a need to send critical data via email, please contact College IT Research, Infrastructure, and Support so we can discuss options and appropriate safeguards.
Special care must be taken when sending any sensitive data via email. First of all, if you can avoid sending sensitive data via email that is preferable. However, for many of us sending sensitive data via email is part of your job and hard to avoid. So, here are two options for sending non-critical sensitive data.
Option 1: CRES Service
IU has a Office Message Encryption (OME) encryption service that is extremely simple to use. The way this works is as follows:
- Only outbound mail is affected. Mail that stays within the IU network (for example, from one Exchange user to another) is not affected.
- Only mail sent from Exchange is encrypted by OME. Mail sent from other IU systems is not encrypted by OME (for example,
mail-relay.iu.edu). - Mail scanning is automatic. All relevant messages are scanned, and will be encrypted if they are found to contain protected types of information. However, you may ensure that your message will be encrypted by including
[Secure Message](case insensitive, with square brackets) in your subject line; see Ensure that mail sent from your Exchange account to an outside address is encrypted. - Attachments are encrypted. If an email message or any of its attachments are found to contain sensitive data, the message and all attachments are encrypted. However, not all file types can be scanned and therefore trigger automatic encryption; if you send any type of message or attachment containing sensitive data, you should force encryption by including
[Secure Message](case insensitive, with square brackets) in your subject line as above. Note that attachments over 100 MB cannot be encrypted; see Email message size limits. - You can manage secure messages after they have been sent. See Revoke email encrypted by Advanced Message Encryption .
So, if you need to email non-critical sensitive data (including a 9-digit IU ID number) just put "[Secure Message]" (including the square brackets but not the double quotes) in the subject of the email and you are in compliance with IU email policy. Do note, however, that this requires that you be using the IU mail servers for your outgoing email. This will be true for most people using the IU mail system but if you are using a non-IU email system and have questions on how you can take advantage of this service, please contact College IT Research, Infrastructure, and Support.
Further Reading
This page is intended to be a simple summary of a rather complex issue involving various IU policies. Below are various reference documents if you want to pursue this subject further.
- College Storage Services and Sensitive Data
- Mobile Device Security Standards
- What is sensitive data, and how is it protected by law?
- Classifications of Institutional Data
- Should I send confidential information via email?
- Secure File Transfer Alternatives
- Data Management at IU and the Critical Data Guide
- What is the Office Message Encryption (OME)?
- How can I ensure that mail sent from my Exchange or Cyrus account to an outside address is encrypted by CRES?
- IT-21: Use of Electronic Mail