Frequently Asked Questions about the Regulated Data Chart
The Regulated Data chart provides guidance about which Cornell services can be used to store or send data that is considered to be sensitive, confidential, or otherwise governed by university policy or by state or federal law. Learn more about how and when to use the chart.
Who should use this chart?
Everyone at Cornell must comply with regulations and university policy when using institutional information. Regulated or confidential data types may be sent through or stored within only those applications where Cornell or its vendors have implemented the privacy and security safeguards required by law or university policy.
When should you use the chart?
Use the Regulated Data Chart to identify a service cleared for use with your data type before you send or store data. Sometimes approval from a Cornell or government entity is required before using a service and sometimes there are important details to be aware of, so this is a case where reading the "fine print" is critical.
The Regulated Data Chart pertains to Cornell's version of the tools listed. These are also called enterprise versions. Always make sure you are using Cornell's versions and not commercial versions that often have the same or similar names. Enterprise versions have numerous built-in protections.
What should you use the chart for?
- If you are a data steward, or his or her delegate, use the chart to know what baseline contractual or technical safeguards are in place for regulated data types. This information is an important starting point from which to evaluate your rules surrounding the use of the data under a data steward's purview in specific technologies.
- If you are a custodian of university data, this chart provides general information. It is especially useful as a starting point to know what technologies/applications Cornell supports. Those that are outside of Cornell's enterprise framework should NOT be used with any regulated data. This chart may also be useful in communications with data stewards to help inform their decisions of the uses to which specific technologies could be made.
If a service is listed as approved on the Regulated Data Chart, does that mean I can freely share the protected data?
Not necessarily. Whether or not a service may be used is a TWO-STEP analysis.
- The FIRST step begins with this chart. If Cornell does not support the technology, or the chart indicates that the use of regulated data is not allowed either by contract or technical safeguards, then the analysis ends there: do not use that technology for that regulated data type.
- If the technology passes the first step, continue on the SECOND step, which is to determine whether, as a matter of policy, the data steward allows the use of the data type under their purview to use the technology. If the data steward has not communicated clear guidance on this matter to you as a custodian, please consult your supervisor.
What is a data steward?
According to Policy 4.12, Data Stewardship and Custodianship, a data steward is "An individual with the responsibility for coordinating the implementation of this policy through a) the establishment of definitions of the data sets available for access and b) the development of policies and/or access procedures for those data sets."
What is regulated and confidential data?
Regulated and confidential data is data controlled by Federal laws in the area of education, finance, and health care. This data is also affected by a number of state data breach notification laws and contractual provisions in government research grants, which impose legal and technical restrictions on the appropriate use of institutional information. The university must comply with laws, contract provisions, and other restrictions.
Regulated data is very specific types of data regulated by law. In the context of the Regulated Data Chart, these data types are FERPA, HIPAA, GLBA, ITAR, and EAR.
- FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by FERPA (Family Educational Rights and Privacy Act). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See Policy 4.5, Access to Student Information
- HIPAA (Health Records): Certain health information is protected by HIPAA (Health Information Portability and Accountability Act) and is considered confidential if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. The HIPAA-covered entities at Cornell are Weill Cornell Medicine, Cornell Health, Benefit Services (both for the Ithaca campus and WMC), and University Counsel.
- GLBA (Bursar Records): Cornell’s Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA.
- ITAR and EAR: Export Controlled Research is protected by ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). Example: dual-use technology used for scientific advancement as well as military applications.
Personal Identifiers (Confidential Data): Personal identifiers are Social Security numbers, credit card numbers, driver’s license numbers, and bank account numbers. These are considered confidential data when they appear in conjunction with an individual’s name or other identifier.
Human Subjects: Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, finger prints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual.
Credit Card Payment Processing: Credit card numbers used for payment processing are regulated through a trade association agreement with the Payment Card Industry (PCI). Examples: credit card numbers, names, and other information used for payment processing.
Restricted Research Data: Restricted Access Research Data Sets: Example: census data.
What does permitted use have to do with security?
When Cornell says you cannot use a service to send or store certain data, people sometimes interpret this to mean the service in question is not secure for general use. This is a misinterpretation. It means the service does not meet the requirements for managing Policy 5.10 Level 1 data. HIPAA, PCI, etc., often require a specific combination of technical security, operational policy, procedures, documentation, and training. Very often those measures are highly specific to the type of data and business processes in which it will be used. That the service can't comply with those requirements doesn't necessarily mean that it is inappropriate for, or poses an increased risk (versus a locally hosted service) for other uses.