Student Data: Guidelines for Use (updated December 2005)
Student data and information is a vital and important university resource. Its use must be protected even when the data may not be confidential. As a custodian of student data you are expected to comply with all university policy and federal and state laws regarding its use.
These policies and laws include Policy 4.5, "Access to Student Information" and a new New York State law known as the "Information Security Breach and Notification Act." This law is directed towards protecting individuals from the ever-increasing occurrence of identity theft and Cornell will be required to notify individuals whose personal identifying information (such as name or ID number) and private information (social security number, driver's license number or bank account/credit card number) is maintained /owned by Cornell, when it has a reasonable belief that such data has been acquired by someone without authorized access to such data. Therefore, to prevent the requirement to notify from arising, it is imperative that all such electronic information be optimally protected. You should contact your college/department IT specialist or CIT to assist you in this regard or in the event of a breach.
Given this increased attention on data security, Cornell’s policies are continually being updated and as a user of this data, you are expected to review them regularly.
Here are some general guidelines and parameters for colleges, departments and administrative unit data users:
- Student social security numbers should never be used.
- Data from the Student Data Marts (Admissions, Financials, and Records) and their sub-sections, Human Resource, Payroll, PEDL, and other information systems, including data collected by departments or individual faculty and staff, is for internal university purposes only.
- Do not store personally identifiable information, such as social security numbers and ID numbers, on your computer.
- Keep only the information you currently require on your computer—all other information should be moved to longer term storage and removed from your computer.
- Everyone, including teaching assistants, is responsible for appropriately protecting student data. One’s role and function define the data resources that will be needed to carry out one’s official responsibilities. Through its data access policies the university makes information and data available based on those responsibilities.
- Data directly identifying a person, such as name, address, telephone number, date(s) of attendance, majors, degrees, etc., may not be distributed in any form to outside persons or agencies, including all government agencies and surveys and other requests for data. All such requests are to be forwarded to the Office of the University Registrar.
- Requests for student information from any courts, attorneys, etc. are handled by the Office of the University Counsel and colleges and departments should never respond to requests, even with a subpoena. All requests from law enforcement agencies (local police, New York State Police, Federal Bureau of Investigation, et al) are to be forwarded to the Office of the University Registrar for response.
- At no time may student information, including that identified as ‘Directory Information’, be released to any outside entity for commercial, marketing, solicitation or other purposes. This includes organizations and companies which may be acting as agents for the university or its departments.
- Faculty, students and staff doing research and seeking to survey students must submit a formal request, including the research questionnaire, to the Office of the University Registrar and the Faculty Committee on Human Subjects Research for approval prior to distribution of the research and/or survey questionnaire. Personally identifiable data and information (name, ssn, student ID number, address, telephone number, NetID) must be suppressed, and no data may be used for commercial, for-profit, or marketing purposes. Data must be used only for the approved purpose.
- Institutional research, analysis and reporting functions and external surveys including departmental, college-based and university, should always suppress personally identifiable data, except where required by law or statute (e.g., some New York State reports). In those cases, reporting and distribution of those reports is to be completed by the Office of Institutional Research and Planning. All reports for the State University of New York (SUNY) and the New York State Legislature, and Federal agencies will be prepared and submitted by the Office of Institutional Research and Planning.
- Electronic mail to established listservs (e.g., classes) is permitted. Other bulk electronic mailing (i.e., to all students) is restricted to only emergency situations, such as health emergency notification. All requests for bulk emailing of students must be submitted to the Office of the University Registrar. Listservs and bulk emails must be coordinated through Cornell Information Technology, Network Services. (Consult with George Medlar (firstname.lastname@example.org).
- Data mart users who repackage data for others in their unit must inform the recipients of the above data access issues. Repackagers are responsible for informing and instructing those to whom they disseminate data from the data mart.
Questions and inquiries, please email: