As a custodian of institutional information, you are responsible for the Cornell data sent, stored, or shared on the information technology (IT) software, services, and devices -- whether personally owned or university-owned -- that you use. This responsibility includes choosing appropriate solutions to manage data.
Cornell's Policies about Data Use
Depending on what data you are using, and for what reason(s), you may be required to obtain approval from your unit's data steward. Please also refer to the Regulated Data Chart for guidance to help you choose appropriate technology tools for sending, storing and sharing institutional information. Both of these steps are governed by university policies.
- Per Cornell University Policy 4.12 (Data Stewardship and Custodianship), the university expects all stewards and custodians of its administrative data to manage, access, and utilize this data in a manner that is legal and consistent with the university's need for security and confidentiality.
- Per University Policy 5.10 (Information Security), the university expects all stewards and custodians who have access to and responsibilities for institutional information to manage it according to the rules regarding storage, disclosure, access, classification of information and minimum privacy and security standards described in that policy.
Classifications for Cornell's Institutional Information
As detailed in University Policy 5.10 (Information Security), Cornell classifies its institutional information (which includes data) into three types:
High-risk university data - requires the highest level of privacy and security controls; covers information that contains any of the following data elements, when appearing in conjunction with an individual’s legal name or other identifier:
- Social Security number
- Credit or debit card number
- Driver’s license (or non-driver identification) number
- Bank account number
- Visa or passport number
- Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Personal financial information subject to the Gramm-Leach-Bliley Act (GLBA)
Moderate-risk university data - any information used in the conduct of university business, unless categorized as high-risk or low-risk university data. This includes, but is not limited to, protected student information as defined in the Family Educational Rights and Privacy Act (FERPA).
Low-risk university data - any information that the university has made available or published for the explicit use of the general public
Definitions of Regulated and High-Risk Data
Some institutional information that Cornell classifies as high-risk university data is also subject to legal or regulatory requirements. This information is also referred to as "regulated data". Federal laws in the area of education, financial, and health care records, as well as a number of state data breach notification laws and contractual provisions in government research grants, impose legal and technical restrictions on the appropriate use of institutional information.
FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by FERPA (Family Educational Rights and Privacy Act). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See University Policy 4.5, Access to Student Information
HIPAA (Health Records): Certain health information is protected by HIPAA (Health Information Portability and Accountability Act) and is considered high-risk data if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. The HIPAA-covered entities at Cornell are Weill Cornell Medicine, Cornell Health, Benefit Services (both for the Ithaca campus and WMC), and University Counsel.
Personal Identifiers (High-Risk Data): Personal identifiers are Social Security numbers, credit or debit card numbers, driver’s license (or non-driver identification) numbers, bank account numbers, visa or passport numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), and personal financial information subject to the Gramm-Leach-Bliley Act (GLBA). These are considered high-risk data when they appear in conjunction with an individual’s legal name or other identifier.
GLBA (Bursar Records): Cornell’s Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA.
Human Subjects: Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, finger prints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual.
Export Controlled Research: Export Controlled Research is protected by ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). Sending, or otherwise making available, export-controlled information to a foreign national, either in or outside of the United States territory, is an export. Similarly, storing export-controlled information on a cloud computing server or other third-party server that is located in a foreign country or accessible by foreign nationals is an export. Example: dual-use technology used for scientific advancement as well as military applications.
Credit Card Payment Processing: Credit card numbers used for payment processing are regulated through a trade association agreement with the Payment Card Industry (PCI). Examples: credit card numbers, names, and other information used for payment processing.
Restricted Research Data: Restricted Access Research Data Sets: Example: census data.
- Policy 4.4, Access to Cornell Alumni Affairs and Development Information
- Policy 4.5, Access to Student Information
- Policy 4.12, Data Stewardship and Custodianship
- Policy 5.5, Stewardship and Custodianship of Electronic Mail
- Policy 5.9, Access to Information Technology Data and Monitoring Network Transmissions
- Policy 5.10, Information Security