Data Privacy & Security

There are numerous federal and state laws and standards that govern the use, security, and protection of personal information.

State Data Protection and Security Laws

There are three state laws related to data protection and security that are most frequently applicable to the University and its vendors.

  • Indiana’s Release of Social Security Number law prohibits the disclosure of social security numbers except in very limited circumstances.
  • Indiana’s Notice of Security Breach law requires the University to provide notice to individuals in the event of an unauthorized disclosure (breach) of personal information held by the University or one of its vendors. Personal Information means an individual’s name (either first and last, or first initial and last name) together with at least one of the following: social security number, driver license or identification card number, account number, credit/debit card number, or security code, access code, or password of an individual’s financial account.
  • Indiana’s Persons Holding a Customer’s Personal Information law requires the safe disposal or destruction of some personal data held by the University.

If you have questions regarding the state data protection and security laws, please contact Jennifer Adams.

Report a Security Breach

Data Destruction Requirements

Indiana law requires the University to dispose of personal information in a secure manner. The University must also ensure that any vendor that has such data on behalf of the University also complies with the destruction requirements.

The definition of “personal information” includes an individual’s first name and last name (or first initial and last name) and at least one of the following: (i) social security number; (ii) driver’s license or identification card number; and/or (iii) account number, credit or debit card number, security code, access code, or password on an individual’s financial account.

However, if the data/personal information is encrypted, redacted, or otherwise obtained from publicly available sources, these destruction requirements will not apply.

Proper destruction of personal information under the law is defined as “shredding, incinerating, mutilating, erasing, or otherwise rendering information illegible or unusable.”

If you have questions regarding how to securely remove data, please see the University’s Secure Data Removal page.