Yale Data and Yale IT Systems may be subject to external obligations. External obligations can include contractual or regulatory requirements. Examples of these obligations include:
- Regulatory: HIPAA, PCI, and FERPA
- Contractual: Data Use Agreements (DUA)
External obligations can increase security requirements for your data or IT System. Regulatory or contractual obligations can mandate either of the following:
- Additional, required security controls to protect the data.
- Yale’s obligations in the event of a security incident or data breach.
These mandates can impact how to build or maintain your Yale IT System. This is why external obligations are part of classifying Yale IT Systems.
Important note: External obligations may require controls not listed in Yale's Minimum Security Standards (MSS). System support providers must know what external obligations affect the systems they support. This ensures the system is maintained to meet any requirements from those obligations.
Determine if your data/system is subject to external obligations:
Ways to determine if your data/system is subject to external obligations include:
- Take Yale’s Data Classification Questionnaire. This questionnaire can determine common regulatory requirements that apply to Yale Data.
- Talk to your supervisor or Principle Investigator (PI). They should know if there are any external obligations associated with the work you do. Below, we provide a list of common external obligations that affect Yale data sets. Reference this list to help guide your conversation.
Examples of external obligations:
Below is a list of common external obligations that affect Yale data sets. This list does not cover all external obligations. You must know your external obligations before determining your overall risk classification. See the Risk Classification Guideline for more details.
Data Use Agreements (DUA)/Data Management Plans
These are contractual documents used for the transfer of data that:
- Was developed by a nonprofit, government, or private industry.
- Is nonpublic or otherwise subject to some restrictions on its use.
This may apply to anyone working with a data set(s) from an external third party. If this applies to you, confirm that the data set(s) are not subject to any sort of contract or agreement.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA data is classified as High Risk. This means any data or or IT System containing HIPAA data is High Risk. Your data may be subject to HIPAA if you are:
For more information on HIPAA, visit:
For information around de-identification of PHI, view:
Payment Card Industry Data Security Standards (PCI DSS)
PCI DSS data is classified as High Risk at Yale. This means any data or IT System containing PCI DSS data is High Risk. For more information on PCI DSS, visit:
Social Security Numbers (SSNs)
Social Security Numbers (SSNs) are classified as High Risk at Yale. This means any data or IT System containing SSNs is High Risk. For more information on SSNs, visit:
Family Educational Rights and Privacy Act (FERPA)
FERPA data is classified as Moderate Risk data at Yale. This means any data or IT System containing FERPA data is Moderate Risk. For more information on FERPA, visit:
Gramm-Leach-Bliley Act (GLBA)
GLBA data is classified as High Risk data at Yale. This means any data or IT System containing GLBA data is High Risk. For more information on GLBA, visit:
If you are unsure if there are any external obligations that apply to your work, we recommend talking to:
- Your supervisor
- Your PI
They should know if there are any external obligations associated with your work.
We are also here to help. You can email your questions to us. We also welcome any feedback you have on the content on this page.
External obligations can increase security requirements for your data or IT System.This is why external obligations are part of classifying Yale IT Systems.
Some external obligations hold legal and contractual weight. We need to ensure we follow any applicable external obligations.