500.02 - Privacy of the Weill Cornell Medicine Network and Systems

Last Reviewed: July 11, 2024

Approval Date: March 24, 2026

Purpose 

Weill Cornell Medicine (WCM) recognizes that an information technology environment built on mutual trust and freedom of thought is essential to the mission of education, research, and patient care. WCM additionally recognizes that as faculty, staff, and students create and store data in electronic form, there is concern that the data a user in the WCM community might consider private may be more available to view or use than initially expected. This policy is intended to clarify general principles and define expectations of privacy within the WCM community. 

Scope 

This policy applies to all WCM Workforce Members who utilize WCM information technology resources as well as those responsible for managing and safeguarding WCM data. 

Policy 

WCM provides, manages, and secures institutional equipment such as computers, tablets, or telephones, or organizational systems, such as email, communication software, internet access and usage, file sharing, document management or electronic medical record systems to community members to further the mission of education, research, and patient care and for conducting general college business. As part of your affiliation with WCM, you are responsible for using this equipment and systems consistent with this policy and WCM policy 500.01 – Responsible Use of Information Technology Resources. 

While incidental and occasional personal use of such systems is permissible, personal communications and data transmitted or stored on WCM information technology resources are treated as business communications and data and are subject to monitoring for performance and compliance purposes. Monitoring systems may be used to flag communications, applications, user activity, and data that violate policies or standards or appear suspicious or malicious in nature (e.g., viruses, spyware) for further investigation. WCM community members should not expect that personal or business communications will remain private and/or confidential. 

While WCM allows unrestricted use of its information technology resources, users of WCM IT resources should not expect privacy rights. WCM reserves the right to monitor all communications, data, and equipment used to access the organization’s systems. Additionally, other members of the Tripartite may monitor the use of our electronic medical record system and related data. 

Definitions 

Workforce Members: Faculty; Non-Faculty Academics; Staff; Students; Volunteers; and other persons whose conduct, in the performance of work for WCM, is under the direction and control of WCM, whether or not they are paid by WCM. 

Procedure

WCM reserves the right to access, review, quarantine, and release electronic information that is stored or transmitted using WCM information technology resources, including any devices you own or control which you use to access WCM systems or data or conduct WCM business. Requests for access, review, quarantine, or release of electronic information may originate from, or on behalf/approval of any of the following WCM officials: 

• Executive Vice Provost & Chief Operating Officer 
• Associate Vice President, Deputy General Counsel and Secretary 
• Chief Privacy & Compliance Officer 
• Chief Information Officer 
• Chief Information Officer-Qatar 
• Chief Information Security Officer 
• Chief Medical Information Officer 
• Research Integrity Officer 
• Assistant Vice Provost, Human Resources 
• Director, Human Resources-Qatar 
• Senior Associate Dean, Education 
• Associate Dean for Student Affairs-Qatar 
• Dean, Weill Cornell Graduate School of Medical Sciences 

These requests will be initiated and fulfilled only under one or more of the following circumstances: 

1. When requested by a court order or other entity with legal authority to do so. 
2. When fulfilling the legal, regulatory, or other applicable duties of WCM. 
3. When responding to a suspected or known electronic or physical security issue or incident. 
4. In the event of a health or safety concern. 
5. In order to ensure the security, confidentiality, integrity, or availability of data stored or transmitted by using WCM information technology resources. 
6. In cases where more stringent controls, such as state regulations for psychiatric data, maintain a higher standard for authorized access, review, or release of data, the more stringent control will always take precedence. 
7. As requested by the Office of General Counsel, University Audit Office, Office of Compliance, or Human Resources in conducting investigations. 

Whenever access, review, or release of electronic information is necessary, care will be taken to treat the event with sensitivity and respect. 

Compliance with this Policy

All WCM Workforce Members are responsible for adhering to this policy. Failure to comply will be evaluated on a case-by-case basis and could lead to corrective action, up to and including termination, consistent with other relevant WCM and University Policies. Instances of non-compliance that potentially involve a lapse of professionalism may lead to engagement of the Office of Professionalism for evaluation and intervention. 

Contact Information

Direct any questions about this policy, 500.02–Privacy of the Weill Cornell Medicine Network and Systems, to the Chief Information Security Officer, using one of the methods below:

1. Office:                                       (646) 962-3609
2. Email:                                        ciso@med.cornell.edu

References 

WCM Policy ITS-500.01 – Responsible Use of Information Technology Resources 

Policy Approval 

This policy was reviewed and approved by: 

• Information Security and Privacy Advisory Committee (ISPAC) on March 19, 2026; and 
• WCM-Executive Policy Review Group (WCM-EPRG) on March 24, 2026.