For Epic Cheers go-live support, please contact NYP IS at nypres.service-now.com/nyp-portal or 212-746-4357
Information Technologies & Services

500.03 - Data Classification

Last Reviewed: July 23, 2024

Approval Date: March 24, 2026

Purpose 

Information technology and data constitute valuable Weill Cornell Medicine (WCM) assets. Depending on their classification, these assets are additionally subject to state and federal regulation. This policy is designed to provide a launching point for facilitating compliance with these regulations and adherence to commonly accepted security best practices. 

Scope 

This policy applies to anyone who utilizes WCM information technology resources as well as those responsible for managing and safeguarding WCM data. 

Policy 

In order to protect the security and integrity of WCM data, as well as to comply with applicable state and federal laws and regulations, all WCM data must be classified as either High Risk, Moderate Risk, or Low Risk. Data stewards and data owners are responsible for this classification.  

Definitions 

Workforce Members: Faculty; Non-Faculty Academics; Staff; Students; Volunteers; and other persons whose conduct, in the performance of work for WCM, is under the direction and control of WCM, whether or not they are paid by WCM. 

Procedure

The following risk categorization levels must be adhered to when determining classification for Weill Cornell Medicine data:

Data Classification Risk Table.

Please review the detailed bullets below for additional details. Risk classification for human subjects research data will be determined by the Institutional Review Board (IRB). 

1.01      High Risk

This includes data that could have a significant adverse impact on WCM's safety, finances, or reputation if improperly disclosed. High Risk data includes, without limitation, the following: 

  • Protected health information (PHI), as defined in Title 45 CFR §160.103, is individually identifiable health information that is (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information (i) in education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by a covered entity in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years. 
  • Personally identifiable information (PII), as defined in GAO-08-536 Privacy Protection Alternatives, is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. 
  • Financial data, including data covered under the Gramm-Leach-Bliley Act (GLBA) and the information pertaining to payment cards covered by the Payment Card Industry Data Security Standard (PCI DSS). 
  • Employment records, including pay, benefits, personnel evaluations, and other staff records. 
  • Controlled Unclassified Information (CUI), as defined by the National Archives and Record Administration (NARA), is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended. 
  • Human genomic or genetic data, which even in deidentified form may be subject to Executive Order 14117 (2024), the DOJ’s Bulk Data Rule 28 CFR s. 202 and the NIH’s Controlled-Access Data Policy. 
  • User account or system passwords that provide access to information systems or applications containing any of the above confidential data elements. 

1.02      Moderate Risk

This includes information that would not cause material harm but has a Moderate Risk on WCM’s safety, finance, or operations if improperly disclosed. Moderate Risk data requires protection from unauthorized use, disclosure, modification, and/or destruction, but is not subject to any of the items listed in the High Risk definition above. Data deemed Moderate Risk includes: 

  • Student records, including those protected under the Family Education Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g, except where records are separately covered under High Risk data. 
  • Unpublished data related to research and constrained by regulation or use agreements, unless containing elements in the High Risk category or deemed High Risk by the oversight committees, including, but not limited to, the Institutional Review Board (IRB), Institutional Animal Care and Use Committee (IACUC), Institutional Biosafety Committee (IBC), Embryonic Stem Cell Research Oversight Committee (ESCRO), Radiation Safety Committee (RSC), or principal investigator. 
  • Health-related research data that has been de-identified in accordance with either the “Expert Determination” method [Title 45 CFR §164.514(b)(1)] or the “Safe Harbor” method [Title 45 CFR §164.514(b)(2)]. For more information on de-identification and honest broker services, reference this overview. 
  • Data related to WCM’s operations, finances, legal matters, audits, or other activities of a sensitive nature not intended for public disclosure. 
  • Data related to intellectual property of WCM, which may be patented or used for financial gain. 
  • Data related to donors or potential donors. 
  • Information security data, including private cryptographic keys for data transfer or data at rest, system configuration documentation, infrastructure or network diagrams, vulnerability and penetration assessments, and other data associated with security-related incidents occurring at WCM, except where pertaining or providing access to systems containing data in the High Risk category. 
  • Any other internal WCM data—the distribution of which is limited by intention or discretion of the author, owner, or administrator. 

1.03      Low Risk

This includes data that can be disclosed to any individual or entity inside or outside of WCM, with minimal risk to WCM’s safety, finance, or operations. Security measures may or may not be needed to control the dissemination of this type of data. Examples include: 

  • Data on public WCM websites, including data elements published as “Public” on the Directory https://directory.weill.cornell.edu/such as email address, office phone number, office location, etc. 
  • Data related to research that is either published, publicly available, not intellectual property (as defined in Moderate Risk), or not constrained by regulation or use agreements.
  • Press releases.
  • Job postings.

Compliance with this Policy 

All WCM Workforce Members are responsible for adhering to this policy. Failure to comply will be evaluated on a case-by-case basis and could lead to corrective action, up to and including termination, consistent with other relevant WCM and University Policies. Instances of non-compliance that potentially involve a lapse of professionalism may lead to engagement of the Office of Professionalism for evaluation and intervention. 

Contact Information

Direct any questions about this policy, 500.03 – Data Classification, to the Chief Information Security Officer, using one of the methods below:

  • Office:                                       (646) 962-3609
  • Email:                                        ciso@med.cornell.edu

References 

  • WCM Policy ITS - 500.13 – Directory 
  • WCM Policy OOC-410.06 – Safeguarding Patient Information 
  • WCM Policy EA-120.00 - Social Media 
  • Title 45 CFR §160.103 
  • Title 45 CFR §164.514(b)(1)-(2) 
  • Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232g 
  • Gramm-Leach-Bliley Act (GLBA) 
  • Payment Card Industry Data Security Standard (PCI DSS) 
  • GAO-08-536 – Privacy Protection Alternatives 
  • National Archives and Records Administration (NARA) – Controlled Unclassified Information (CUI) 
  • Executive Order 13526 
  • Atomic Energy Act of 1954 
  • Executive Order 14117 (2024) 
  • DOJ Bulk Data Rule – 28 CFR Part 202 

Policy Approval 

This policy was reviewed and approved by: 

  • Information Security and Privacy Advisory Committee (ISPAC) on March 19, 2026; and 
  • WCM-Executive Policy Review Group (WCM-EPRG) on March 24, 2026. 
Policy Download: 
PDF icon 500.03 - Data Classification

Need Help?

myHelpdesk
Open a ticket
(212) 746-4878
Monday-Sunday
Open: 24/7 (Excluding holidays)
SMARTDesk
WCM Library Commons
1300 York Ave
New York, NY
10065
Mon & Thurs
9AM - 5PM
Make an appointment

IT Glossary

Type an acronym or term you would like a definition for.