1601 Information Access and Security

Responsible Official: Chief Information Security Officer

Responsible Office: 

Office of the Provost

Office of the Vice President for Finance and Chief Financial Officer

Effective Date: November 1, 2000

Revision Date: December 14, 2020

Policy Sections

1601.1 Authorization to Grant or Revoke Access to University Information

Scope

This policy establishes requirements for staff, faculty and students regarding access to University information as well as the responsibilities for stewardship of University information.  University information is all information generated or acquired, in printed or digital form, by Yale faculty, staff, students, contractors or others engaged on the University’s behalf, in the course of carrying out the University’s mission or conducting its business.

Policy Statement

University information shall be used only for appropriate University purposes.  Information is a resource equivalent to University financial and physical resources.  All members of the University community shall be aware of their obligations to protect University information.  In particular:

• University information may only be accessed by persons when they are performing activities and responsibilities associated with their University position.
• University information may only be disclosed to individuals where a Yale business need exists and the individual has appropriate authorization.  There are specific policies restricting the sharing of HIPAA, FERPA, PCI, PII and other forms or federally or locally regulated data.
• Those authorized to access University information are responsible for properly storing and securing it from unauthorized access.  This includes encrypting data, securing and protecting passwords, keys, and other forms of access control.
• Those authorized to grant or revoke access to University information (as specified in Section 1601.1) are responsible for following procedures to ensure that access is appropriately assigned, modified as needed, and canceled promptly when individuals transfer to other positions or leave the University.
• Those accepting confidential information on behalf of the University, e.g., for clinical trials, must ensure that the requirements related to the acceptance of that information are followed.  Such data must be properly secured on Yale systems.
• Misuse of University information will be regarded with the utmost seriousness.  Alleged violations of this policy will be pursued in accordance with the appropriate disciplinary procedures for faculty, staff and students, and when indicated, sanctions up to and including dismissal or expulsion will be imposed.

Additionally, there are certain categories of information, such as student records and personal health information that are accorded confidentiality under the law as well as under University policy.  Examples include student information, which is covered by the Family Educational Rights and Privacy Act (FERPA), also called ‘the Buckley Amendment’ and Protected Health Information (PHI) that is covered by the Health Insurance Portability & Accountability Act (HIPAA) when used by a covered entity.  Anyone who violates state or federal law is personally liable for such actions under the law as well as under University policy.

Violations of this policy shall be reported to individuals authorized to grant access to University systems and information, or to the University Information Security Office (“ISO”).

Policy Sections

1601.1 Authorization to Grant or Revoke Access to University Information

The following University officials are authorized to grant or revoke access to University information:

Related Resources

1601 PR.02 NetIDs and Identity Management

1601 PR.03 Access Control for Protected Health Information (PHI)

1607 Information Technology Appropriate Use Policy