Guidelines for Student Use of Institutional Data

Scope

These guidelines are applicable to Yale students who wish to use Yale institutional data to develop or test unaffiliated technology projects.

Purpose

The guidelines provide a summary of relevant University policies and expectations applicable to student projects involving technology innovation, including University policy which may be most relevant to technology projects. Adherence to University policy and expectations with regard to institutional data will ensure that the project will not be subject to subsequent revision or sanctions.

Use of Institutional Data – General Requirements

The University recognizes the benefit of involving Yale students in innovating uses of institutional data. At the same time, the University acknowledges that it has an obligation to protect institutional data from uses that would violate University policy, regulatory requirements, or the rights of data subjects. Key considerations are outlined below but student innovators are advised to review the relevant policies or seek consultation with the University Registrar/Data Governance (kathleen.galo@yale.edu) to ensure the proposed use meets University requirements. It is further recommended that projects be conducted in partnership with a faculty or staff member.

Privacy

University data is governed by a variety of privacy laws depending on the characteristics of the data subjects and the context under which the data was collected. Some common areas of concern include:

• Student Directory information: Students are allowed under FERPA to opt out of the publicly available directory information at any time. The fluidity of publicly available student directory information means that developers must be prepared to update student directory information to exclude any subsequent student directory opt-outs. 
• Privacy Notices: Apps and other technologies are increasingly expected (or in some cases required) to be transparent regarding the information collected, how it is secured, and how it is used. If information is to be proactively collected through a website or app, a privacy notice should be developed and published with the project. Use of existing data must conform to the privacy practices or notices promulgated by the data source.
• Specially protected information: Certain types of information are subject to enhanced privacy, security, and legal requirements depending on the sensitivity of the data (health, biometric, political affiliation, etc.) or the geolocation of the data. For example, data collected from individuals (including students) while in the European Union is subject to the EU General Data Protection Regulation.  
• Limitation on data collection and retention: any data that will be collected or stored should be limited to only that information necessary for proper functioning of the technology and the data should be destroyed in accordance with Yale data retention requirements.
• For further information, including the University Privacy Notice, see https://ogc.yale.edu/privacy/privacy-office

Security

• High risk or regulated data as defined per Yale’s data classification policy may not be used for student innovation projects.
• Data which is restricted to Yale University via authentication requires a pre-approved data use agreement. Complete this data governance request form via ServiceNow to initiate the process. Data in the student project must maintain the same or a more restrictive authorization scope.
• University requirements around NetIDs must be met. A NetID is assigned to and to be used by one person only:
  • No sharing of credentials
  • No caching / replaying of credentials. Yale’s security standards follow Yale’s data. Any system which stores, processes, or transmits Yale data must meet and maintain Yale’s minimum security standards, including:
    • Application of all security patches to all software in a timely fashion
    • Implementation and maintenance of a strong configuration standard
• See cybersecurity.yale.edu/mss for further details.

Operational concerns

• Using institutional APIs or scraping Yale websites must be done in a way that does not impact normal operations.

Acceptable Use

• Use must not impact the University’s non-profit status.

As a federally-funded, tax-exempt educational institution, the University is bound by certain rules and restrictions regarding the programs and activities in which it engages. As such, the University must be vigilant about the use of University resources to ensure that they are not used to improperly benefit commercial or private enterprise.

• The use must not be represented as Yale University or as endorsed by Yale University unless authorized by the University.

Use of the University’s name and associated marks in connection with programs and activities, other than by way of descriptive identification of the individual creator as a student, faculty member, or staff member at the University, is itself use of a significant University resource and protected by federal trademark law. Therefore, students or individual members of the University community must be accurate in communicating the University’s involvement in their programs and activities. Unless expressly authorized by the University, they must not state or suggest institutional endorsement or approval of:

• external organizations, programs and activities (including those in which other University community members are involved in their individual capacities);
• the products or services of such organizations, programs and activities; or
• the personal views or statements of students, faculty, staff, or other University community members.

Technology Lifecycle

• Maintenance of the technology
• Termination of the technology at end of life
• Transition process if a technology project transitions to a University-supported initiative

Future policy and guideline updates

• Yale’s policies can and do change. Users are expected to stay current with University policy requirements and adjust any data use accordingly.
• This guide will be updated periodically.
• Policies may change, be sure to check these guidelines when you plan to request use of institutional data.

Available resources

• 1607 IT AUP
• Minimum Security Standards
• 1601: Information Access and Security 
• List of helpful APIs/websites/resources

Questions / point of contact

• Questions can be directed to Kathleen Galo at kathleen.galo@yale.edu or submitted via the Data Governance request form.