Skip to main content

Data Privacy Day: A message from the Chief Privacy Officer about protecting data at IU

Chief Privacy Officer Mark Werling, JD

Chief Privacy Officer Mark Werling, JD

January 28 is Data Privacy Day—an international effort to empower individuals and businesses to respect privacy, safeguard data and enable trust.

At Indiana University, we monitor data privacy trends and developments throughout the world and enhance our program on a continuous basis to ensure the best experience for our constituents. We also closely monitor privacy issues and track trends within IU School of Medicine to assess where we can continue to improve to ensure data privacy for students, employees and patients.

Here are a few privacy issues to be aware of:


1.  Transporting physical Protected Health Information (PHI)

In the current remote environment, we are seeing more protected health information transported from one location to another. While this is sometimes a necessity, ensuring the confidentiality, privacy and security of this data during transport is critical. IU’s Removal and/or Transport of PHI policy provides guidance on how to safely and securely move data, whether in paper form or stored electronically on a device or USB. A few highlights from this policy include:

  • Only the minimum amount of information necessary should be transported. For example, if a list of names must be transported, only the list of names should be moved.
  • PHI should not be left unattended in a vehicle at any time.
  • PHI should be transported in a way that it is not viewable or accessible to others (e.g., in a file, briefcase, etc.).


2.  Using your own device

If you wish to use your personal device (cell phone, tablet, etc.) for IU business, there are certain steps you must take to ensure the security of your device and any IU data you may access or store on it. Please review the Indiana University Policy IT-12.1 Mobile Device Security Standard.

All mobile devices must:

  • Have appropriate safeguards applied to mitigate risk of loss or exposure, including adequate password protection, encryption, remote wiping, and intrusion prevention measures.
  • Be wiped before transferring ownership (e.g., when trading in your cell phone).
  • Be reported to if lost, stolen or otherwise compromised.


3. Secure data storage

IU will finalize the migration of files from Box Health accounts to the new Microsoft at IU Secure Storage by May. IU has developed secured storage, appropriate for electronic protected health information and other restricted and critical data, with a range of privacy and security safeguards. These safeguards are in place to ensure the confidentiality, integrity and availability of IU data. Understanding how to manage permissions for your sensitive data files is key to managing appropriate access and avoiding sensitive data exposure.

IU launched to collect in one place guidance on several sectors in our privacy program and provide resources on where to go for questions or further information. Learn more, today!


Incident Reporting

The Privacy Office is here to serve you and to ensure the proper treatment of our community’s private information. Reach out any time you have a question, concern or suggestion concerning data privacy.

Immediately report any potential privacy incident to the University Information Policy Office at: Learn more about incident reporting and response here.


Mark Werling, JD, Chief Privacy Officer, Indiana University