Skip to main content

Cornell University

IT@Cornell

Regulated Data Chart

Before using any Cornell service to send, store, or share institutional information, review Regulated Data: Guidelines for Campus IT Software and Services.

Using the Regulated Data Chart

The Regulated Data Chart provides guidance to help you choose appropriate technology tools for sending, storing, and sharing institutional information. Before choosing a tool to send, store, or share institutional information, ask two questions:

  • Question 1: Does the Regulated Data Chart permit use of this IT service with the data type I am interested in working with?
  • Question 2: Do my department/unit policies and my data steward permit use of this IT service with the data type I am working with and for the way(s) I am using the data? If you don't know, check with your supervisor. See University Policy 4.12 (Data Stewardship and Custodianship) for the list of data stewards.

If the answer to both questions is yes, you may use the IT tool to send and store the university data in question.

Important notes for chart users:

  • Information in the Regulated Data Chart applies exclusively to Cornell's enterprise version of the service listed. It does not extend to consumer or personally acquired versions of these services, or to third-party applications associated with these services. You must use Cornell's enterprise version to be in compliance with legal, contractual, and policy rules surrounding Cornell's institutional information.
  • The Regulated Data Chart does not apply to data associated with faculty research unless that research falls under a regulation or contract.
  • Your department/unit policies and your data steward ultimately govern whether you can use a particular service to send, store, or share regulated data. The guidance of the Regulated Data Chart by itself is not sufficient.
  • Use Permitted: No technical, policy, or contractual issues exist that prohibit use of this data type with this service. You may send, store, or share the regulated data type with this service if your data steward and your department/unit policies permit you to do so.
  • Use Restricted: Use of this service with the regulated data type is restricted and approval is required. Refer to the instruction in the Regulated and High-Risk Data Definitions at the bottom of this page.
  • Use Prohibited: Use of this service with the regulated data type is prohibited. Do not use this service to send, store, or share the regulated data type.
Title Category FERPA HIPAA High-Risk Identifiers GLBA Human Subjects Restricted Research Data Secure Use
Turnitin Plagiarism Detection Permitted Prohibited Prohibited Prohibited Restricted Restricted

Ferpa – Students agree that by taking this course all required papers may be subject to submission for textual similarity review to Turnitin.com for the detection of plagiarism. All submitted papers will be included as source documents in the Turnitin.com reference database solely for the purpose of detecting plagiarism of such papers. Use of the Turnitin.com service is subject to the Usage Policy posted on the Turnitin.com site. Faculty should include such notice in their syllabus. If Turnitin is instituted after the syllabus is distributed, faculty should provide written notice at that time. http://Turnitin.com
LastPass Password Management Prohibited Prohibited Prohibited Prohibited Prohibited Prohibited

Ferpa – This service is designed to securely store passwords. Its use is not intended for storing data beyond this scope. Storing credentials which access FERPA data is permitted.

Personal Identifiers – This service is designed to securely store passwords. Its use is not intended for storing data beyond this scope. Storing credentials which access confidential data is permitted.

GLBA – This service is designed to securely store passwords. Its use is not intended for storing data beyond this scope. Storing credentials which access GLBA classified data is permitted.
Managed Servers (Infrastructure service) Managed Servers Permitted Permitted Permitted Permitted Permitted Restricted
Cornell Secure File Transfer Collaboration Services Permitted Permitted Permitted Permitted Restricted Restricted
Confluence Collaboration Services Permitted Prohibited Prohibited Prohibited Restricted Restricted
Cornell Google Workspace for Faculty/Staff -- Google Docs Collaboration Services Permitted Prohibited Prohibited Prohibited Prohibited Restricted
Cornell Google Workspace for Students -- Google Docs Collaboration Services Permitted Prohibited Prohibited Prohibited Prohibited Restricted
Box and official Box-developed apps Collaboration Services Permitted Prohibited Prohibited Permitted Restricted Restricted

Ferpa – These permitted and restricted uses apply to any Box-developed application. Third party apps for Box are likely to pull information out of the secure Box environment and should not be used for institutional information. To see a list of official Box-developed apps go to https://cornell.box.com/services/browse/official

HIPAA – These permitted and restricted uses apply to any Box-developed application. Third party apps for Box are likely to pull information out of the secure Box environment and should not be used for institutional information. To see a list of official Box-developed apps go to https://cornell.box.com/services/browse/official

Personal Identifiers – These permitted and restricted uses apply to any Box-developed application. Third party apps for Box are likely to pull information out of the secure Box environment and should not be used for institutional information. To see a list of official Box-developed apps go to https://cornell.box.com/services/browse/official

GLBA – These permitted and restricted uses apply to any Box-developed application. Third party apps for Box are likely to pull information out of the secure Box environment and should not be used for institutional information. To see a list of official Box-developed apps go to https://cornell.box.com/services/browse/official
Blogs (WordPress) Collaboration Services Permitted Prohibited Prohibited Prohibited Prohibited Restricted
Office 365 (Outlook Calendar) Calendar Prohibited Prohibited Prohibited Prohibited Restricted Restricted

Regulated and High-Risk Data Definitions

FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by FERPA (Family Educational Rights and Privacy Act). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See University Policy 4.5, Access to Student Information

HIPAA (Health Records): Certain health information is protected by HIPAA (Health Information Portability and Accountability Act) and is considered high-risk data if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. The HIPAA-covered entities at Cornell are Weill Cornell Medicine, Cornell Health, Benefit Services (both for the Ithaca campus and WMC), and University Counsel.

Personal Identifiers (High-Risk Data): Personal identifiers are Social Security numbers, credit or debit card numbers, driver’s license (or non-driver identification) numbers, bank account numbers, visa or passport numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), and personal financial information subject to the Gramm-Leach-Bliley Act (GLBA). These are considered high-risk data when they appear in conjunction with an individual’s legal name or other identifier.

GLBA (Bursar Records): Cornell’s Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA.

Human Subjects: Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, fingerprints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual. Before using a service marked restricted to send or store Sensitive Human Subjects Research Data, consult with the Institutional Review Board.

Export Controlled Data (or software): Export Controlled data (or software) is protected by ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations) as applicable. Sending, transmitting, disclosing, or otherwise making available, export-controlled content to a foreign national, either in or outside of the United States territory, is an export. Similarly, storing export-controlled content on a cloud computing server or other third-party server that is located in a foreign country or accessible by foreign nationals is an export. Example: dual-use technology used for scientific advancement as well as military applications. Refer to Policy 4.22, Export and Import Control Compliance.

Credit Card Payment Processing: Credit card numbers used for payment processing are regulated through a trade association agreement with the Payment Card Industry (PCI). Examples: credit card numbers, names, and other information used for payment processing.

Restricted Research Data: Restricted Access Research Data Sets: Example: census data. Before using a service marked restricted to send or store Restricted Access Research Data sets, consult relevant contracting provisions in consultation with the University Counsel or the Office of Sponsored Research. Cornell Data Services provides an additional resource. 

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.