Regulated and High-Risk Data Definitions
FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by FERPA (Family Educational Rights and Privacy Act). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See University Policy 4.5, Access to Student Information
HIPAA (Health Records): Certain health information is protected by HIPAA (Health Information Portability and Accountability Act) and is considered high-risk data if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. The HIPAA-covered entities at Cornell are Weill Cornell Medicine, Cornell Health, Benefit Services (both for the Ithaca campus and WMC), and University Counsel.
Personal Identifiers (High-Risk Data): Personal identifiers are Social Security numbers, credit or debit card numbers, driver’s license (or non-driver identification) numbers, bank account numbers, visa or passport numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), and personal financial information subject to the Gramm-Leach-Bliley Act (GLBA). These are considered high-risk data when they appear in conjunction with an individual’s legal name or other identifier.
GLBA (Bursar Records): Cornell’s Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA.
Human Subjects: Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, fingerprints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual. Before using a service marked restricted to send or store Sensitive Human Subjects Research Data, consult with the Institutional Review Board.
Export Controlled Data (or software): Export Controlled data (or software) is protected by ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations) as applicable. Sending, transmitting, disclosing, or otherwise making available, export-controlled content to a foreign national, either in or outside of the United States territory, is an export. Similarly, storing export-controlled content on a cloud computing server or other third-party server that is located in a foreign country or accessible by foreign nationals is an export. Example: dual-use technology used for scientific advancement as well as military applications. Refer to Policy 4.22, Export and Import Control Compliance.
Credit Card Payment Processing: Credit card numbers used for payment processing are regulated through a trade association agreement with the Payment Card Industry (PCI). Examples: credit card numbers, names, and other information used for payment processing.
Restricted Research Data: Restricted Access Research Data Sets: Example: census data. Before using a service marked restricted to send or store Restricted Access Research Data sets, consult relevant contracting provisions in consultation with the University Counsel or the Office of Sponsored Research. Cornell Data Services provides an additional resource.