Information Protection Policy

  • Purpose

    To develop among the university community an appreciation for the value, and the often vulnerable nature, of information and to reduce the danger of misuse, destruction, or loss of information, especially that of a critical or confidential nature, without restricting academic freedom or complicating access to information to which the university community has a legitimate and specific need.


    This policy applies to all employees of the university.


    The objective of this policy is to establish a framework for the use, access, and maintenance of information.


    It is the policy of Indiana University of Pennsylvania that all information be used in a manner that maintains an appropriate and relevant level of confidentiality and that provides sufficient assurance of its integrity in compliance with existing laws and PASSHE and university policies. [Examples would include (but are not limited to) Copyright Law, US Code Title 18, the Family Educational Rights and Privacy Act of 1974 (FERPA), the Pennsylvania Library Theft law (Act 1982-95), and the Gramm-Leach-BlileyAct (GLBA)].

    While the elimination of all risk is impossible, the goal of the policy is to minimize the possibility of information misuse, corruption, and loss through the adoption of reasonable procedures for the university community to follow. While this policy is especially pertinent to information stored electronically, it is also intended to guide users of all information, including what is stored in other formats such as paper, microform, and video, as well as the content of confidential meetings and conversations.


    University community

    All employees of the university.


    Data, in all its forms, collected, maintained, accessed, modified, or synthesized by and for members of the university community. The various forms of data include, but are not limited to, computer files, paper files, books, microfilm and fiche, video, conversations and oral presentations, and pictures or images.

    Public Information

    Information to which the university community has unrestricted access and for which there are no requirements of confidentiality. The vast majority of information at the university is of a public nature; for example: telephone directories, calendars, schedules, library books in general circulation, most conversations and meetings, and information bulletins.

    Restricted Information

    Information which is sensitive and confidential in nature or legally constrained, and requires access only by that part of the university community with the specific need to do so. Restricted university information includes, for example, individual student class schedules, grades, bills, financial aid applications, health records, personally identifiable financial information, and confidential personnel actions, whether the information is in paper, electronic, micrographic, or conversational form.



    1. Access to public information is limited only by such restrictions as circulation policies, copyright restrictions, license and contractual agreements, university policies (such as the Acceptable Use Policy), and procedures for use. 
    2. Restricted information may only be accessed by those authorized members of the university community with a specific and legitimate need to know. 


    1. Responsibility will vary from member to member of the university community, and each user will be accountable for appropriate use. 
    2. Each member of the university community is responsible for using information appropriately. Appropriate use is wise and prudent use of information so that information resources are not wasted, damaged, or misused. Inappropriate use includes releasing restricted information, erasing or modifying information without proper authorization, defacing or removing pages from books, using information to embarrass, intimidate, or harass, or attempting to subvert the flow of information, such as purposefully attempting to crash or slow down computer systems, modifying or removing posted information without authority, and other such actions. 



    1. Each office responsible for university information shall identify the information it maintains, determine whether it is of a restricted nature, and implement reasonable and clear procedures for granting access only to employees with a legal, specific, and legitimate need to know. Employees must be aware of applicable restrictions on the use of information to which they have access.
    2. Each member of the university community with access to restricted information is responsible for maintaining the confidentiality of that information, whether it has been obtained or created through electronic, paper, or conversational means. Each such person shall take appropriate action to ensure that the information is being used properly and appropriately. For example, confidential files should be locked when not in use. Sensitive or confidential information should be destroyed when discarded. It is particularly important that passwords to computer accounts with access to restricted information not be shared.
    3. Members of the university community charged with maintaining restricted information are responsible for maintaining the accuracy and integrity of that information and for determining who requires access to it. Critical information on the university and university-related information systems is automatically backed up on a regular basis to maintain its integrity and retrievability should it be accidentally or otherwise destroyed or lost. Individual users with critical information maintained locally, i.e., on a personal computer, on paper, or in other media, shall also take appropriate steps to ensure that valuable and confidential information not be lost, damaged, or otherwise compromised. 


    The Library and Educational Services Committee (LESC) is responsible for the procedures and programs to support the Maintenance (Section 7) of the Information Protection Policy, including the creation and maintenance of any specific programs required by law [example, GLBA Safeguards Rule]. Copies of this policy and all associated procedures shall be maintained on the IUP Policy website.
    Questions regarding the applicability or violation of the policy, or appropriate access to information, should be referred to the chair of the Library and Educational Services Committee (LESC).

    Violations of this policy will be reported to the associate vice president for Human Resources.
    Violations of the policy may result in disciplinary action up to and including separation from employment or expulsion from school in accordance with the student handbook, applicable collective bargaining agreements, and/or university and PASSHE personnel policies.

    A violation of this agreement may result in criminal action if it is determined that any local, state, or federal law has been violated. 

    Related Documents

    Information Protection Policy

    Confidentiality Statement for Information Protection Policy


    Alumni/Development Information System 
    Confidentiality Policy

    Publications Statement

    This policy should be published in the following publications:

    Administrative Manual 


    All Employees 

    Document History
    December 12, 1994
    Initial document publication
    October 31, 2005
    Approved for implementation by Dr. Tony Atwater and President's Cabinet
    February 25, 2014
    LESC update:  Removed "affiliates" from document scope

    Removed "affiliates" from definition of "university community"

    Removed/updated obsolete language and references

    Removed requirement to sign the "IUP Confidentiality Statement"