Regulated Data Chart
This article applies to: Regulated Data
Before using any Cornell service to send, store, or share institutional information, review Regulated Data: Guidelines for Campus IT Software and Services.
Using the Regulated Data Chart
The Regulated Data Chart provides guidance to help you choose appropriate technology tools for sending, storing, and sharing institutional information. Before choosing a tool to send, store, or share institutional information, ask two questions:
- Question 1: Does the Regulated Data Chart permit use of this IT service with the data type I am interested in working with?
- Question 2: Do my department/unit policies and my data steward permit use of this IT service with the data type I am working with and for the way(s) I am using the data? If you don't know, check with your supervisor. See University Policy 4.12 (Data Stewardship and Custodianship) for the list of data stewards.
If the answer to both questions is yes, you may use the IT tool to send and store the university data in question.
Important notes for chart users:
- Information in the Regulated Data Chart applies exclusively to Cornell's enterprise version of the service listed. It does not extend to consumer or personally acquired versions of these services, or to third-party applications associated with these services. You must use Cornell's enterprise version to be in compliance with legal, contractual, and policy rules surrounding Cornell's institutional information.
- The Regulated Data Chart does not apply to data associated with faculty research unless that research falls under a regulation or contract.
- Your department/unit policies and your data steward ultimately govern whether you can use a particular service to send, store, or share regulated data. The guidance of the Regulated Data Chart by itself is not sufficient.
Regulated Data Chart
- FERPA Education Records
- HIPAA Health Records
- Personal Identifiers Confidential Data
- GLBA Bursar Records
- Human Subjects
- Restricted Research Data
- Electronic Lab Notebooks
- Event Support & Media
- Incident Management Tool
- Lecture Capture
- Managed Servers
- Password Management
- Plagiarism Detection
- Printing Services
- Storage Services
- Student Information Management
- Survey Tool
- Video Streaming, Hosting and Video Signage
- Web Hosting Services
- Web Services
Web & Video Conferencing
- Cmail (G Suite for Education) / G Suite for Faculty/Staff -- Google Hangouts
Regulated and Confidential Data Definitions
FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by FERPA (Family Educational Rights and Privacy Act). Examples: class lists, grade rosters, records of advising sessions, grades, financial aid applications. See University Policy 4.5, Access to Student Information
HIPAA (Health Records): Certain health information is protected by HIPAA (Health Information Portability and Accountability Act) and is considered confidential if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. The HIPAA-covered entities at Cornell are Weill Cornell Medicine, Cornell Health, Benefit Services (both for the Ithaca campus and WMC), and University Counsel.
Personal Identifiers (Confidential Data): Personal identifiers are Social Security numbers, credit card numbers, driver’s license numbers, and bank account numbers. These are considered confidential data when they appear in conjunction with an individual’s name or other identifier.
GLBA (Bursar Records): Cornell’s Bursar records are protected by GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) and also by FERPA.
Human Subjects: Sensitive Identifiable Human Subject Research: Information that reveals or can be associated with the identities of people who serve as research subjects. Examples: names, finger prints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual.
Export Controlled Research: Export Controlled Research is protected by ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). Sending, or otherwise making available, export-controlled information to a foreign national, either in or outside of the United States territory, is an export. Similarly, storing export-controlled information on a cloud computing server or other third-party server that is located in a foreign country or accessible by foreign nationals is an export. Example: dual-use technology used for scientific advancement as well as military applications.
Credit Card Payment Processing: Credit card numbers used for payment processing are regulated through a trade association agreement with the Payment Card Industry (PCI). Examples: credit card numbers, names, and other information used for payment processing.
Restricted Research Data: Restricted Access Research Data Sets: Example: census data.