1601 Information Access and Security

Responsible Official: 
Chief Information Security Officer
Responsible Office: 
Office of the Provost
Office of the Vice President for Finance and Business Operations
Effective Date: 
November 1, 2000
Revision Date: 
April 16, 2013

Policy Sections

Scope

This policy establishes requirements for staff, faculty and students regarding access to University information as well as the responsibilities for stewardship of University information. University information is all information generated or acquired, in printed or digital form, by Yale faculty, staff, students, contractors or others engaged on the University’s behalf, in the course of carrying out the University’s mission or conducting its business.

Policy Statement

University information shall be used only for appropriate University purposes. Information is a resource equivalent to University financial and physical resources. All members of the University community shall be aware of their obligations to protect University information. In particular:

  • University information may only be accessed by persons when they are performing activities and responsibilities associated with their University position.
  • University information may only be disclosed to individuals where a Yale business need exists and the individual has appropriate authorization. There are specific policies restricting the sharing of HIPAA, FERPA, PCI, PII and other forms or federally or locally regulated data.
  • Those authorized to access University information are responsible for properly storing and securing it from unauthorized access. This includes, encrypting data, securing and protecting passwords, keys, and other forms of access control.
  • Those authorized to grant or revoke access to University information (as specified in Section 1601.1) are responsible for following procedures to ensure that access is appropriately assigned, modified as needed, and canceled promptly when individuals transfer to other positions or leave the University.
  • Those accepting confidential information on behalf of the University, e.g., for clinical trials, must ensure that the requirements related to the acceptance of that information are followed. Such data must be properly secured on Yale systems.
  • Misuse of University information will be regarded with the utmost seriousness.  Alleged violations of this policy will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff and students, and when indicated, sanctions up to and including dismissal or expulsion will be imposed.

Additionally, there are certain categories of information, such as student records and personal health information  that are accorded confidentiality under the law as well as under University policy. Examples include student information, which is covered by the Family Educational Rights and Privacy Act (FERPA), also called ‘the Buckley Amendment’ and Protected Health Information (PHI) that is covered by the Health Insurance Portability & Accountability Act (HIPAA) when used by a covered entity. Anyone who violates state or federal law is personally liable for such actions under the law as well as under University policy.

Violations of this policy shall be reported to individuals authorized to grant access to University systems and information, or to the Information Security Office.

Policy Sections

1601.1 Authorization to Grant or Revoke Access to University Information

The following University officials are authorized to grant or revoke access to University information:

Type of Information

Official Authorized to Grant or Revoke Access

Academic and educational information

Office of the Provost

Financial information

Controller

Purchasing information

Chief Procurement Officer

Budget information

Budget Director

Human Resources information

Vice President for Human Resources & Administration

Facilities information

Associate Vice President for Facilities

Student information

Associate Vice President for Student Financial and Administrative Services

Protected Health Information (Clinical or Research)

University Chief Privacy Officer