What are the major legal issues about sensitive data?
The legal issues about sensitive data involve how we maintain, share, and destroy it. Sensitive data is anything that can be used for identity theft or that is otherwise significantly harmful if disclosed without proper authorization.
There are three Indiana laws that address data protection:
- IC 4-1-10 (commonly referred to as the “SSN disclosure law”) makes it a crime to disclose a person’s Social Security number (SSN) except under specific circumstances as described by the law.
- IC 24-2-14 (commonly referred to as the “data disposal law”) makes it a crime to dispose of certain types of personal information in publicly accessible areas without first taking steps to render it unusable.
- IC 4-1-11 (commonly referred to as the “breach notification law”) requires the university to notify individuals whose personal information has been reasonably exposed because of a systems security breach.
Additionally, the university’s policy regarding SSNs is that they must not be stored on departmental servers unless doing so is absolutely necessary to the business functioning of the office involved.
The SSN disclosure and data disposal laws cover both electronic and paper data.
Other Laws
Federal and state laws exist that provide further protections to certain types of data, or that may influence how you handle those data. Data Managers of certain applications and data areas may require you to complete additional training to familiarize you with these. See some examples.
More information
For more information about data protection laws, see ourBest Practices for Handling Electronic Institutional and Personal Information
