Cornell has a number of policies that define the appropriate use of data we collect about faculty, staff, student, alumni, visitors, etc.
Key policies related to data privacy and use include:
University Record Retention, University Policy 4.7: Cornell University requires that university records be disposed of or retained for specific periods of time in accordance with legal or other institutional requirements, or for historical value. The university has designated official repositories to manage the retention and disposal of these records.
University Record Storage Registry, University Policy 5.11: requires operating units to document where these resources are stored, how they are secured, and how they can be used in accordance with other related university policies.
Data stewardship and custodianship, University Policy 4.12: Data Stewards define appropriate use of data. In turn, Unit Custodians of data ensure proper adherence to policy and security of this data.
Access to Student Information, University Policy 4.5: It is the policy of Cornell University to comply with the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g ("FERPA").
Access to Cornell Alumni Affairs and Development Information, University Policy 4.4: Cornell University respects the privacy of alumni affairs and development information and limits access to that information to authorized individuals.
Access to Information Technology Data and Monitoring Network Transmissions, University Policy 5.9: Cornell University does not monitor the content of network traffic except for legal, policy, or contractual compliance; in the case of a health or safety emergency; or for the maintenance and technical security of the network.
Data Stewardship and Custodianship, University Policy 4.12: The university expects all stewards and custodians of its administrative data to manage, access, and utilize this data in a manner that is consistent with the university's need for security and confidentiality. Cornell University administrative functional areas must develop and maintain clear and consistent procedures for access to university administrative data, as appropriate.
Information Security, University Policy 5.10: Cornell University expects all institutional information stewards and custodians who have access to and responsibilities for institutional information to manage it according to the rules regarding storage, disclosure, access, classification of information and minimum privacy and security standards as set forth in this policy.
Responsible Use of Video Surveillance Systems, University Policy 8.1: Cornell University allows the use of approved video surveillance systems through a transparent process, subject to rules governing equipment installation and employment, and use of the resulting recorded material. Cornell University aims to provide a secure environment for members of its community and to protect personal safety and property, assisted by video surveillance systems technology. Such technologies, however, must be used only to meet the university’s critical goals for security, and in a manner that is sensitive to interests of privacy, free assembly, and expression.
Responsible Use of Electronic Communications, University Policy 5.1: Cornell University requires people who use its information technology resources to do so in a responsible manner, abiding by all applicable laws, policies, and regulations.
Stewardship and Custodianship of Electronic Mail, University Policy 5.3: The university strives to protect electronic mail from inappropriate access or disclosure in order to contribute to the trust of university information technology systems and comply with relevant regulations, laws, and policies regarding the protection of certain types of data.
Standards of Ethical Conduct, University Policy 4.6: Cornell University expects all executive officers, trustees, faculty, staff, student employees, and others, when acting on behalf of the university, to maintain the highest standard of ethical conduct.
The Campus Code of Conduct sets forth standards of behavior that apply to all faculty, students, staff, and university-registered organizations. Regarding computer usage, the Code of Conduct specifically makes it a violation "to recklessly or maliciously interfere with or damage, in violation of university rules, computer or network resources or computer data, files, or other information." The Code also makes it clear that "misappropriation of data or copyrighted materials, including computer software, may constitute theft." Violations of university policies, including computer usage policies, also constitute violations of the Code of Conduct.
The Code of Academic Integrity was adopted by the Faculty Council of Representatives and applies to all students. It prescribes adherence to a set of values, expected not only in coursework, but also in the use of university resources. The code includes computer and network related concepts and examples of violations, such as: initiating or encouraging the promulgation of chain letters and other types of electronic broadcast messages, tapping phone lines or other network cables, subverting or obstructing a computer or network by introducing a worm or virus, supplying false or misleading information to access computer or network systems, improperly obtaining or using another's password to access computers or network systems, and unauthorized access to data, computers or networks.