Retention Policy for International Data

The SUNAPSIS modules, and where applicable OnBase, will be the only locations for retention of data elements defined as critical. Critical data elements must be stored in a secure location while in process (in a locked cabinet or on a secure file server, for example), but any long term retention of critical data will only be maintained within a SUNAPSIS module or OnBase. The types of critical data elements maintained include but are not necessarily limited to:

FULL POLICY CONTENTS

• Passport number;
• Visa number;
• Bank account number;
• Health Information; and
• Social Security Number (SSN)

Please see http://datamgmt.iu.edu/classifications.shtml for the most up-to-date and complete university definition of data considered to be sensitive or critical.

Within the SUNAPSIS database, all data elements defined as critical will be stored in an encrypted state at rest and all transit of that data will occur over secure socket layers (SSL). All scanned and indexed files in SUNAPSIS will be considered critical and will adhere to the afore mentioned rule. Additionally, the software will purge any temporary files generated on the server or on local workstations maintained by a SUNAPSIS module. Any critical data records retained in OnBase must be indexed and properly classified to ensure the appropriate security rules are in place.

The retention of any SSNs will be limited to the SUNAPSIS International Office Module, and where applicable OnBase, when related to international students and scholars for immigration purposes. There are U.S. federal record retention requirements that Indiana University is required to meet (see definitions and references in this policy). Under advisement from University Counsel, documents which the institution is legally required to retain, which may include SSN, must be maintained in an unaltered state for the duration of time that the document is retained in accordance with the regulatory requirement. Please see below for the defined retention schedule.

Any transient use of SSN for processing that does not fall under such regulatory retention requirements will be purged upon completion of the necessary business process. Furthermore, all other areas of International Affairs (those outside of International Services) will not retain SSNs for any records. This would include the SUNAPSIS Study Abroad Module, and any other

Specific data will be purged from systems on the following retention schedule. Any international student, scholar, or employee will be maintained in the system with a complete record for a standard 3 years after the most recent activity on file. Any international student, scholar, or employee that was never active will be maintained in the system with a complete record for a standard 3 years after the most recent activity on file. Individuals for whom applications for permanent employment certification have been filed with the Department of Labor will have their complete record retained for 5 years from the date of filing the Application for Permanent Employment Certification or the 3 year standard, whichever is greater. Active is defined as any period in which an individual’s record has been active in a federal system or they were actively enrolled in classes, in an application for a future date, actively employed, actively onsite at the university, actively in a queue to be at the university in the future, or the record has been updated by an official advisor case notation.

Upon the appropriate timeline the following data will be purged from systems:

• Passport, Visa, I-94, I-129, I-140, and I-907 Data
• Source Scanned Files, but Metadata Maintained
• Source E-Form Data, but Metadata Maintained
• Source SEVIS Transaction Data, but Metadata Maintained
• Source Notes and Email Communications Data, but Metadata Maintained

All other information not defined as critical or sensitive will continue to be retained for the duration of the systems for business analytical purposes. It is very important to retain useful information for ongoing business needs while at the same time remove any of the critical and sensitive data that no longer has any business need or retention requirement. As such metadata will be maintained, such as for indexed files, even when that source data, such as the actual PDF file, is removed.

An exception to this standard retention policy is that H-1B Temporary Worker Public Inspection Files have a federal retention requirement that these records must be retained for a period of 1 year beyond the last date on which any H-1B non-immigrant is employed under a particular Labor Condition Application (LCA) or, if no non-immigrants were employed under the LCA, 1 year from the data the LCA expired or was withdrawn. As such the paper public inspection files will follow this 1 year rule for purging of these defined files. Please note, these records may be retained electronically, on paper, or both for the public inspection files. Furthermore these files do not contain any critical data.

Specific data will be purged from systems on the following retention schedule. Any student will be maintained in the system with a complete record for a standard 3 years after the most recent activity on file. Any student that was never active will be maintained in the system with a complete record for a standard 3 years after the most recent activity on file. Active is defined as any period in which an individual was pursing an application, being considered, or active participant in overseas study programs or the record has been updated by an official advisor case notation.

Upon the appropriate timeline the following data will be purged from systems:

• Passport Number, Visa Number, Health Information
• Source Scanned Files, but Metadata Maintained
• Source E-Forms containing Critical Data, but Metadata Maintained
• Source Notes and Email Communications containing Critical Data, but Metadata Maintained

Data that is defined below, which is not critical data, will be retained until completion of the active degree program or the standard 3 year period, whichever is greater. Upon the appropriate timeline this data will also be purged from systems:

• Source E-Forms not containing Critical Data, but Metadata Maintained
• Source Notes/Email Communications Data not containing critical data, but Metadata Maintained

All other information not defined as critical or sensitive will continue to be retained for the duration of the systems for business analytical purposes.

Other systems in use throughout International Affairs university-wide must not retain critical data by default. If a need is identified for a system outside of SUNAPSIS and OnBase to maintain any critical data then it must first be reviewed for its security of the data by the International Data Steward, and a determination made whether or not the system must be officially included in this policy document prior to being used to store critical data. Otherwise critical data stored in these systems must be redacted or otherwise removed.

File servers may be used for critical data in process and transit, although they should not be used for permanent storage of critical data. Limited access, university internal, and public classified data may be retained on file servers. Data directly linked to student, scholar, or employee records that is maintained on the file server may be retained as long as it serves a continuous business need. Once the business need halts then that data should be purged. Departments must develop and implement an annual process review of data files on the file server that have not been updated in the last year to determine if their business need has halted, and where appropriate purge those data files from the file server.

Local workstations, laptops, and other devices in use throughout International Affairs university-wide must not retain any critical, limited access or university internal data by default. This applies whether the workstations, laptops, or devices are University owned or personal property. Although this may be used for data in process and transient, it should not be used for permanent storage. Local workstations, laptops, and other devices must be scanned each semester, using an approved university product, to verify that no critical, limited access, or university internal data is being retained.

Paper records may be used for critical data in process and transit, although they should not be used for permanent storage of critical data. If paper records are to be retained then any critical data must be redacted. Additionally these files should be purged under the same retention schedule defined above used for the removal of scanned documents.