As a custodian of institutional information, you are responsible for the Cornell data sent, stored, or shared on the information technology (IT) software, services, and devices -- whether personally owned or university-owned -- that you use. This responsibility includes choosing appropriate solutions to manage data.

Cornell's Policies about Data Use

Depending on what data you are using, and for what reason(s), you may be required to obtain approval from your unit's data steward. Please also refer to the Regulated Data Chart for guidance to help you choose appropriate technology tools for sending, storing and sharing institutional information. Both of these steps are governed by university policies.

• Per Cornell University Policy 4.12 (Data Stewardship and Custodianship), the university expects all stewards and custodians of its administrative data to manage, access, and utilize this data in a manner that is legal and consistent with the university's need for security and confidentiality.
• Per University Policy 5.10 (Information Security), the university expects all stewards and custodians who have access to and responsibilities for institutional information to manage it according to the rules regarding storage, disclosure, access, classification of information and minimum privacy and security standards described in that policy.

Classifications for Cornell's Institutional Information

As detailed in University Policy 5.10 (Information Security), Cornell classifies its institutional information (which includes data) into three types:

High-risk university data - requires the highest level of privacy and security controls; covers information that contains any of the following data elements, when appearing in conjunction with an individual’s legal name or another identifier:

• Social Security number
• Credit or debit card number
• Driver’s license (or non-driver identification) number
• Bank account number
• Visa or passport number
• Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA)
• Personal financial information subject to the Gramm-Leach-Bliley Act (GLBA)

Moderate-risk university data - any information used in the conduct of university business, unless categorized as high-risk or low-risk university data. This includes, but is not limited to, protected student information as defined in the Family Educational Rights and Privacy Act (FERPA).

Low-risk university data - any information that the university has made available or published for the explicit use of the general public

Definitions of Regulated and High-Risk Data

Some institutional information that Cornell classifies as high-risk university data is also subject to legal or regulatory requirements. This information is also referred to as "regulated data." Federal laws in the area of education, financial, and health care records, as well as a number of state data breach notification laws and contractual provisions in government research grants, impose legal and technical restrictions on the appropriate use of institutional information.

FERPA (Education Records): Education records (i.e., files and documents which contain information related to an identifiable student) are protected by the Family Educational Rights and Privacy Act (FERPA). Examples: class lists, grade rosters, records of advising sessions, grades, or financial aid applications. See University Policy 4.5, Access to Student Information.

HIPAA (Health Records): Certain health information is protected by the Health Information Portability and Accountability Act (HIPAA) and is considered high-risk data if it is individually identifiable and held or transmitted by a covered entity. Examples: health records, patient treatment information, health insurance billing information. The HIPAA-covered entities at Cornell are Weill Cornell Medicine (WCM), Cornell Health, Benefit Services (both for the Ithaca campus and WCM), and University Counsel.

Personal Identifiers (High-Risk Data): Personal identifiers are Social Security numbers, credit or debit card numbers, driver’s license (or non-driver identification) numbers, bank account numbers, visa or passport numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), and personal financial information subject to the Gramm-Leach-Bliley Act (GLBA). These are considered high-risk data when they appear in conjunction with an individual’s legal name or another identifier.

GLBA (Bursar Records): Cornell’s Bursar records are protected by the Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act, and also by the Family Educational Rights and Privacy Act (FERPA).

Human Subjects: Sensitive identifiable human subject research data (i.e., information that reveals or can be associated with the identities of people who serve as research subjects) is regulated by the Federal Policy for the Protection of Human Subjects (also called the “Common Rule”). Examples: names, fingerprints, full-face photos, a videotaped conversation, or information from a survey filled out by an individual.

Export Controlled Data (or Software): Export Controlled Data (or Software) is protected by ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations). Sending, transmitting, disclosing, or otherwise making available, export-controlled content to a foreign national, either in or outside of the United States territory, is an export. Similarly, storing export-controlled content on a cloud computing server or another third-party server that is located in a foreign country or accessible by foreign nationals is an export. Example: dual-use technology used for scientific advancement as well as military applications. Refer to Policy 4.22, Export and Import Control Compliance.

Credit Card Payment Processing: Credit card numbers used for payment processing are regulated through a trade association agreement with the Payment Card Industry (PCI). Examples: credit card numbers, names, and other information used for payment processing.

Restricted Research Data: Restricted Access Research Data Sets. Example: census data.

Related Policies

• Policy 4.4, Access to Cornell Alumni Affairs and Development Information
• Policy 4.5, Access to Student Information
• Policy 4.12, Data Stewardship and Custodianship
• Policy 5.5, Stewardship and Custodianship of Electronic Mail
• Policy 5.9, Access to Information Technology Data and Monitoring Network Transmissions
• Policy 5.10, Information Security