As a custodian of institutional information, you are responsible for the Cornell data sent, stored, or shared on the information technology (IT) software, services, and devices -- whether personally owned or university-owned -- that you use. This responsibility includes choosing appropriate solutions to manage data.
Cornell's Policies about Data Use
Depending on what data you are using, and for what reason(s), you may be required to obtain approval from your unit's data steward. Please also refer to the Regulated Data Chart for guidance to help you choose appropriate technology tools for sending, storing and sharing institutional information. Both of these steps are governed by university policies.
- Per Cornell University Policy 4.12 (Data Stewardship and Custodianship), the university expects all stewards and custodians of its administrative data to manage, access, and utilize this data in a manner that is legal and consistent with the university's need for security and confidentiality.
- Per University Policy 5.10 (Information Security), the university expects all stewards and custodians who have access to and responsibilities for institutional information to manage it according to the rules regarding storage, disclosure, access, classification of information and minimum privacy and security standards described in that policy.
Classifications for Cornell's Institutional Information
As detailed in University Policy 5.10 (Information Security), Cornell classifies its institutional information (which includes data) into three types:
Confidential (Level 1) Information - requires the highest level of privacy and security controls; covers information that contains any of the following data elements, when appearing in conjunction with an individual’s name or other identifier:
Social Security number
Credit card number
Driver's license number
Bank account number
Protected health information, as defined in the Health Insurance Portability and Accountability Act (HIPAA)
Restricted (Level 2) Information - all information used in the conduct of university business, unless categorized as public (level 3) or confidential (level 1)
Public (Level 3) Information - any information that the university has made available or published for the explicit use of the general public
Definitions of Regulated and Confidential Data
Some institutional information that Cornell classifies as Confidential (Level 1) information is also subject to legal or regulatory requirements. This information is also referred to as "regulated data". Federal laws in the area of education, financial, and health care records, as well as a number of state data breach notification laws and contractual provisions in government research grants, impose legal and technical restrictions on the appropriate use of institutional information.
FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by FERPA (Family Educational Rights and Privacy Act). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See University Policy 4.5, Access to Student Information
HIPAA (Health Records): Certain health information is protected by HIPAA (Health Information Portability and Accountability Act) and is considered confidential if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. The HIPAA-covered entities at Cornell are Weill Cornell Medicine, Cornell Health, Benefit Services (both for the Ithaca campus and WMC), and University Counsel.
Personal Identifiers (Confidential Data): Personal identifiers are Social Security numbers, credit card numbers, driver’s license numbers, and bank account numbers. These are considered confidential data when they appear in conjunction with an individual’s name or other identifier.
GLBA (Bursar Records): Cornell’s Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA.
Human Subjects: Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, finger prints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual.
Export Controlled Research: Export Controlled Research is protected by ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). Sending, or otherwise making available, export-controlled information to a foreign national, either in or outside of the United States territory, is an export. Similarly, storing export-controlled information on a cloud computing server or other third-party server that is located in a foreign country or accessible by foreign nationals is an export. Example: dual-use technology used for scientific advancement as well as military applications.
Credit Card Payment Processing: Credit card numbers used for payment processing are regulated through a trade association agreement with the Payment Card Industry (PCI). Examples: credit card numbers, names, and other information used for payment processing.
Restricted Research Data: Restricted Access Research Data Sets: Example: census data.
- Policy 4.4, Access to Cornell Alumni Affairs and Development Information
- Policy 4.5, Access to Student Information
- Policy 4.12, Data Stewardship and Custodianship
- Policy 5.5, Stewardship and Custodianship of Electronic Mail
- Policy 5.9, Access to Information Technology Data and Monitoring Network Transmissions
- Policy 5.10, Information Security