Indiana University Purchasing

On July 1, 2006, three new laws passed by the Indiana legislature took effect that impose certain obligations on IU with respect to data privacy, security, and disposal. These laws concern the following types of personal information:

* Social Security Numbers
* Credit card numbers
* Debit card numbers
* Financial account numbers
* Security codes, access codes and passwords relating to financial accounts
* Drivers license numbers
* State identification card numbers

The three laws differ in certain ways, but basically require that the University:

1. NOT disclose outside of IU more than the last four digits of an individual’s Social Security Number, unless we have the individual’s express written permission or in other limited circumstances.

2. Dispose of the personal information described above in a secure manner, so that third parties cannot obtain and use (or misuse) that information. 

3. Notify individuals whose unencrypted personal information reasonably appears to have been acquired by an unauthorized person as a result of an electronic system security breach.

In view of these laws, it is imperative that your unit or organization review your current disposal practices.   Should you currently shred documents with a strip shredder, you will need to either upgrade your equipment to a cross-shred unit or employ the use of an outside shredding service.   

If you wish to use an external company for data destruction, Indiana University has implemented several standing agreements with the following document/media destruction companies:

Vendor Name	City and State	Phone Number
Cintas Document Management	Indianapolis, In	317-396-9260
Confidential Document Destruction	Bloomington, IN	812-336-7779
Enviro-Shred	Laporte, IN	219-324-6631
Grand Rapids Shred It	Grand Rapids, MI	616-956-7400
Indiana University Warehouse
Indy Shred	Indianapolis, IN	317-895-2800
Kokomo Confidential Shredders	Kokomo, IN	866-896-0896
Mountain High Shredding	Mishawaka, IN	574-340-2875
Opportunity Enterprises Inc./ Confidential Paper Recycling	Valparaiso, IN	219-464-9621
Shred-It, Louisville	Louisville, KY	502-491-4151
Speedy Shred	Columbus, IN	812-376-6964
Shred-It, Indianapolis	Indianapolis, IN	317-876-3477

 

Please be sure to use these companies for your document/media destruction needs.
For further clarification, please feel free to contact your campus Purchasing representative.

The purchasing department would be happy to assist with your questions about equipment and services.  For further assistance, please contact:

IUB
Karin Coopersmith, 812-855-5813, kcoopers@indiana.edu

IUE
Margie Santner (765) 973-8233 msantner@indiana.edu

IUPUI
Pam Copenhaver, 274-5343, plpierce@iupui.edu

IUK
Eva Howe, 455-9233, ehowe@iuk.edu

IUN
Marianne Malyj, 219-980-6627, mmalyj@iun.edu
Cindy Kurpis, 219-980-6865, ckurpis@iun.edu

IUS
Ed Kochert, 812-941-2338, ckochert@ius.edu

IUSB
Deb Richards, 520-4580, drichard@iusb.edu ,
Tom Westerhof, 520-4399, towester@iusb.edu 

Everyone who obtains, uses, maintains, and shares the types of personal information described above in the course of their University responsibilities should be aware of the obligations that these laws impose, especially because some violations of the law carry criminal penalties (fines and/or jail time). It is important to note that these laws affect faculty as well as staff--for example, because SSNs were used for many years at IU as the default student identification number, faculty may have old paper and electronic course records containing SSNs. It is important that these records, like administrative records containing sensitive personal information, are maintained and disposed of with sufficient security.

Further details concerning our obligations under these new laws and how they relate to existing data privacy and security measures and requirements may be found at http://itpo.iu.edu/policies/bestpractices/dataprotection.html. This site also provides information on other laws and IU policies that require privacy and secure handling for the personal data listed above, and for other types of data that exist at IU, including student records, personal financial information, and health care records.  PLEASE NOTE:  any sharing of protected data with a contractor or other third party should be done through a contract containing appropriate language to ensure the proper handling of those data.  Purchasing has standard data protection language that can be modified as needed for a particular contractual relationship.   

If at any time you become aware of circumstances in which any of the types of personal information described above may have been disclosed to an unauthorized person, please call immediately your local campus Support Center or Network Operations Center, and send details of the incident to it-incident@iu.edu . The IT Security and Policy Office will coordinate incident response and take the appropriate steps.