University Policies
Cornell has a number of policies that define the appropriate use of data we collect about faculty, staff, student, alumni, visitors, etc.
Key policies related to data privacy and use include:
| Policy Title | Policy Number | Policy Description |
|---|---|---|
| University Record Retention | 4.7 | Cornell University requires that university records be disposed of or retained for specific periods of time in accordance with legal or other institutional requirements, or for historical value. The university has designated official repositories to manage the retention and disposal of these records. |
| Administrative Data Store Registry | 5.11 | It requires operating units to document where these resources are stored, how they are secured, and how they can be used in accordance with other related university policies. |
| Access to Student Information | 4.5 | It is the policy of Cornell University to comply with the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g ("FERPA"). |
| Access to Cornell Alumni Affairs and Development Information | 4.4 | Cornell University respects the privacy of alumni affairs and development information and limits access to that information to authorized individuals. |
| Access to Information Technology Data and Monitoring Network Transmissions | 5.9 | Cornell University does not monitor the content of network traffic except for legal, policy, or contractual compliance; in the case of a health or safety emergency; or for the maintenance and technical security of the network. |
| Data Stewardship and Custodianship | 4.12 | The university expects all stewards and custodians of its administrative data to manage, access, and utilize this data in a manner that is consistent with the university's need for security and confidentiality. Cornell University administrative functional areas must develop and maintain clear and consistent procedures for access to university administrative data, as appropriate. |
| Information Security | 5.10 | Cornell University expects all institutional information stewards and custodians who have access to and responsibilities for institutional information to manage it according to the rules regarding storage, disclosure, access, classification of information and minimum privacy and security standards as set forth in this policy. |
| Physical Security Systems | 8.1 | This policy outlines the responsibilities and procedures regarding physical security systems and public safety at all Cornell campuses, locations, and facilities for the protection of the Cornell community, as well as university-owned grounds, buildings, and property and the state buildings and property under the supervision, administration, and control of the university, and to aid in the prevention of crime and enforcement of applicable laws and Cornell policies. |
| Responsible Use of Electronic Communications | 5.1 | Cornell University requires people who use its information technology resources to do so in a responsible manner, abiding by all applicable laws, policies, and regulations. |
| Stewardship and Custodianship of Electronic Mail | 5.5 | The university strives to protect electronic mail from inappropriate access or disclosure in order to contribute to the trust of university information technology systems and comply with relevant regulations, laws, and policies regarding the protection of certain types of data. |
| Standards of Ethical Conduct | 4.6 | Cornell University expects all executive officers, trustees, faculty, staff, student employees, and others, when acting on behalf of the university, to maintain the highest standard of ethical conduct. |
| Interim Anti-Doxxing Policy | 4.24 | Cornell community members should respect others’ rights to keep their personal information private. |
The Campus Code of Conduct sets forth standards of behavior that apply to all faculty, students, staff, and university-registered organizations. Regarding computer usage, the Code of Conduct specifically makes it a violation "to recklessly or maliciously interfere with or damage, in violation of university rules, computer or network resources or computer data, files, or other information." The Code also makes it clear that "misappropriation of data or copyrighted materials, including computer software, may constitute theft." Violations of university policies, including computer usage policies, also constitute violations of the Code of Conduct.
The Code of Academic Integrity was adopted by the Faculty Council of Representatives and applies to all students. It prescribes adherence to a set of values, expected not only in coursework, but also in the use of university resources. The code includes computer and network related concepts and examples of violations, such as: initiating or encouraging the promulgation of chain letters and other types of electronic broadcast messages, tapping phone lines or other network cables, subverting or obstructing a computer or network by introducing a worm or virus, supplying false or misleading information to access computer or network systems, improperly obtaining or using another's password to access computers or network systems, and unauthorized access to data, computers or networks.