External Obligations Guideline
Yale Data and IT Systems may be subject to external obligations. These external obligations can impose:
- additional security controls
- response obligations in the event of a security incident.
These obligations may exceed Yale's Minimum Security Standards (MSS). This is why they must be identified when classifying systems. To determine if your data or system is subject to such obligations, you can:
- Take Yale’s Data Classification Questionnaire. This questionnaire can determine common regulatory requirements that apply to Yale Data.
- Consult your supervisor or Principal Investigator (PI)
This page outlines the most common regulatory and contractual obligations we see at Yale, including: HIPAA, NIST 800-171, PCI, FERPA, and Data Use Agreements (DUAs).
Important Note
External obligations may require controls not listed in Yale’s Minimum Security Standards (MSS). System support providers must know what external obligations affect the systems they support. This ensures the system is maintained to meet any requirements from those obligations.
Common external obligations at Yale:
Below is a list of common external obligations that affect Yale data sets. This list does not cover all external obligations. You must know your external obligations before determining your overall risk classification. See the Risk Classification Guideline for more details.
Data Use Agreements (DUA)/Data Management Plans
These are contractual documents used for the transfer of data that:
- Was developed by a nonprofit, government, or private industry.
- Is nonpublic or otherwise subject to some restrictions on its use.
This may apply to anyone working with a data set(s) from an external third party. If this applies to you, confirm that the data set(s) are not subject to any sort of contract or agreement.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA data is classified as High Risk. This means any data or or IT System containing HIPAA data is High Risk. Your data may be subject to HIPAA if you are:
- Part of Yale’s covered entity.
- The data includes one or more of the 18 HIPAA Identifiers.
For more information on HIPAA, visit:
For information around de-identification of PHI, view:
NIST 800-171
The purpose of NIST 800-171 is to establish security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations that handle it for the government.
Compliance with NIST 800-171 is required for access to NIH controlled-access data as well as included in some Department of Defense contracts.
Payment Card Industry Data Security Standards (PCI DSS)
PCI DSS data is classified as High Risk at Yale. This means any data or IT System containing PCI DSS data is High Risk. For more information on PCI DSS, visit:
Social Security Numbers (SSNs)
Social Security Numbers (SSNs) are classified as High Risk at Yale. This means any data or IT System containing SSNs is High Risk. For more information on SSNs, visit:
Family Educational Rights and Privacy Act (FERPA)
FERPA data is classified as Moderate Risk data at Yale. This means any data or IT System containing FERPA data is Moderate Risk. For more information on FERPA, visit:
Gramm-Leach-Bliley Act (GLBA)
GLBA data is classified as High Risk data at Yale. This means any data or IT System containing GLBA data is High Risk. For more information on GLBA, visit:
Need help?
If you are unsure if there are any external obligations that apply to your work, we recommend talking to:
- Your supervisor
- Your PI
They should know if there are any external obligations associated with your work.
We are also here to help. You can email your questions to information.security@yale.edu. We also welcome any feedback you have on the content on this page.