Personal Identifiable Information and Reports Containing Admissions Data

Personal Identifiable Information (PII) and Reports:

An inventory of admissions data attributes to be deleted from local or enterprise reports if those reports will otherwise be retained beyond record retention policy timeframes

Overview

University policies regarding admissions data retention have been updated to establish best practices for maximum records retention and risk management, and to bring IU into compliance with federal and international privacy laws.   These policies establish timeframes by which records, documents, and related data must be removed from all university systems, reports, and records, both electronic and physical.

• Personal Identifiable Information (PII) includes data elements which, alone or in combination, could be used to establish or reveal a person’s identity or communicate with them outside of IU.
• Admissions data for purposes of this document refers collectively to the population of non-enrolled suspects, prospects, and applicants at all stages of the application funnel, and all of their related data.

Expanded explanations of PII and other terms used in this document can be found at the end.

This document provides an inventory of data elements considered PII, and outlines expectations for removing that data in the local or central reporting environment if a report will be retained beyond the timeframe for purging of the individual records it contains. 

• PII data for these individuals must be removed from all operational and longitudinal comparative reports and the tables behind them no later than the timeframe established for the respective records.
• This allows the retention of measured elements for longitudinal analysis, while “anonymizing” the relationship of the data to an individual.

Attributes marked “Remove” below are considered PII and must be deleted if a related report is otherwise retained.   Associated attributes that may be retained are listed for clarification.

With the wide variety of systems and vendors from which admissions data is sourced, it is unlikely that the inventory of attributes listed below is comprehensive.  Please refer to the definitions at the end to discern if an attribute in your local report is expected to be purged.

If you have questions about the definitions provided, or your source includes potential PII attributes not listed below, please submit a request to the Institutional Analytics team at IAHelp@iu.edu.

Inventory of Attributes

University ID (aka EMPLID)

• May retain University ID as a unique identifier on a row in a report table, even after all other PII information has been removed.
  • While this is a unique identifier, it is not used outside IU.
  • It is needed to facilitate the structure and utility of longitudinal reports, and the joining of data between disparate reports.
  • University IDs are assigned sequentially as new SIS/HRMS records are created. At current rates these are not projected to roll over until at least 2086.

Names

• Remove: All name types (primary, preferred, nickname, degree, etc.)
• Remove: All name fields (prefix, first name, middle name, last name, suffix, etc.)

Addresses

• Remove: Elements below for all address types
  • All street or PO Box address fields (aka Address Line 1, Address Line 2, Address Line 3, Address Line 4)
• For postal codes:
  • May retain non-USA codes
  • For USA codes may retain the first 5 characters, but remove +4
• May retain:
  • City, County, State, Country
  • EPS market code and description

Email Addresses

• Remove: email types
• Remove: All email field values

Phone Numbers

• Remove: All phone types
• Remove: All field values (country code, prefix, number, extension, etc.)

Citizenship Data

• Remove: Passport details including Passport Number, Issue Date, Expiration Date, etc.
• May retain: Country code and description
• May retain: Citizenship status code and description

Visa/Permit Data

• Remove: Visa classification details (date, number, status, issue date, issue place, etc.)
• Remove: References to all supporting documents and request history
• May retain: Country code, country name, and Visa Type

Tribal identification

• Remove: Remove Tribal ID Number
• May retain: Tribal ID Code and related tribe description (i.e. ABNK Abenaki) 

Military/veteran status

• Remove: Military Rank
• May retain: Military Status including Active Duty, Active Reserve, Disabled, Disabled Veteran, VA Benefit (see list of 18 SIS lookup values for remaining examples)

Other Bio/Demo Data

• Remove: IU user ID (aka network ID)
• Remove: Date of birth
• Remove: Date of death and related decedent details
• Remove: SSN or any portion thereof
• Remove: External system sources & related ID numbers (test agency ID, Slate ID, Common or Coalition ID, DOD ID, DOE ID, STN ID, unique IDs with vendor sources, etc.)
• Remove: Licenses, passports, green cards, or other external unique identification data
• Remove: Personal data (pronouns)

Application Data

• May retain: SIS application number
• Remove: External and vended application source labels and numbers (Common App ID, Coalition app ID, Liaison ID, etc.)

Education History and Curricular Data

• May retain: External org ID and org name, org location (city/state/country), grad date, GPA, curricular detail (courses, grades), etc.

Recruiting Categories

• May retain: all recruiting category codes
• May need to remove: Any PII data stored in the long description/text field.   This will be determined by individual campuses based on local practices.    Reporting offices should check with their local admissions office to determine if any of these need to be excluded.

Relatives (parents and other relationship types)

• Remove: All relationship types
• Remove: All PII data attributes associated with each relative, including but not limited to all the sections noted above. (names, addresses, phone numbers, email, etc.)

Scholarships & Financial Aid Data

• Remove: FA ISIR number
• Remove: Parent info and any Parent/Relationship bio/demo elements following all the same rules as noted above
• May retain:
  • EFC amount
  • Pell offer amount
  • TCNT offer amount
  • IU gift offer amount (and related award name/item type)
  • Total gift offer amount
  • Work study offer amount
  • Total aid offer amount
  • Student need amount
  • Unmet need amount
  • Need-based loan offer amount

Talking points/ Q & A

Q: Do I have to retain all records for three years (or five years)?

1. The three-year/five-year timeframes are maximum retention periods. You can delete earlier if you no longer need the data.

Q: How will we handle data exchange with the National Student Clearinghouse or other sources, and the retention/anonymization of that data?

1. Keep in mind the retention limits are based on the status of the individual person whose data has been shared and their status at IU.

To be compliant, data stored at IU for non-enrolling admitted students will be purged or anonymized no later than three years after the start of the admit term with which they were affiliated.  PII data for those students must be removed from any locally retained reports.

UA and local reporting offices will be responsible for purging or anonymizing rosters and data sets in compliance with retention rules, regardless of where those records are stored.   This may be done on a record-by-record basis, or a cohort basis depending on the business needs of the unit.   In no case may that data be retained longer than specified by the retention policy.

Q: What if I have a question about a data element that is not on this list?

1. If your source includes potential PII attributes not listed in this document, please submit a request to the Institutional Analytics team at IAHelp@iu.edu.

Q: What if I have a question about or need clarification of a definition?

1. If you have a question about a definition included in this document, please submit a request to the Institutional Analytics team at IAHelp@iu.edu.

Definitions/Terminology

• Admissions data for purposes of this document refers collectively to the population of non-enrolled suspects, prospects, and applicants at all stages of the application funnel, and all of their related data.
  • If a suspect/prospect/applicant does not enroll, all related information (bio/demo, education, relationships, scholarships, communication history, etc.) must be purged.
  • Once an admitted student moves to the “enrolled” stage, different retention rules apply to their related records.

• Anonymization is the removal of PII from report display and the individual records within tables that support those reports. Removal may be done:
  • ID by ID based on published purge population, or
  • Anonymizing the contents on a cohort basis, or
  • Building reports in an anonymized manner from the beginning.

• Personal Identifiable Information (PII) is defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as Personal identifiable information. This information can be maintained in either paper, electronic or other media. (US Department of Labor, https://www.dol.gov/general/ppii#)
  • For IU’s purposes, PII includes data elements which, alone or in combination, could be used to establish or reveal a person’s identity or communicate with them outside of IU.
• Redacting is not the same as removal. If records, data elements or documents are due to be purged, compliance is not reached by merely redacting the information.   In reports, such information must be “anonymized” (removing data elements considered Personal identifiable information).
• Report Types:
  • Longitudinal Reports
    • Longitudinal reports often display aggregate data, comparing points in cycle (PIC) or Year-over-Year (YOY) data. However, the tables behind these reports often contain PII data.  Where that is true, the data behind those tables must be anonymized, either record by record or by cohort.
  • Operational Reports
    • Operational reports often contain or produce rosters with individual rows for each record. If retained beyond the retention period, the data tables behind these reports must be anonymized, and rosters removed, converted to aggregates, or anonymized.

• Retention timeframe
  • In general, admissions records related to non-enrolling students must be purged no later than three years after the start of the admit term with which the record is associated. For enrolled students, admissions records will be purged no later than five years after the start of the individual’s last enrolled term.
  • Published retention timeframes represent maximum retention periods. Records/reports/systems may be purged earlier if offices no longer have a need for this data/information.   However, information cannot be retained beyond the established retention timeframes.  
  • Longitudinal reports retained beyond retention timeframes must be purged of PII data related to purged records.
  • More details can be found in the Records Retention Schedule https://ermrrs.webhost.iu.edu/ (requires IU login)