Data Policies

Yale has several complementary data policies to ensure that the campus community treats Yale’s data as a valuable asset. Below you will find:

  • Data Definitions
    • all of Yale’s data-related policies are linked under a small set of shared definitions.
  • Links to Policies
    • We have links to the current versions of Yale’s data policies, procedures, and standards

Oversight Model
Yale’s Information Security Office (ISO) and Privacy Office provide institutionwide oversight for all Yale data, regardless of type, domain, or use. This includes establishing and enforcing requirements related to security, privacy, risk, and data classification.

The University Data Office (UDO) oversees institutional data governance, including defining data domains, appointing Data Stewards, and providing governance frameworks and services for institutional data. UDO does not manage or govern clinical or research data, but collaborates with partner offices to ensure alignment with Universitywide requirements and efforts.

Definition
 Yale Data refers to any data created, received, stored, processed, transmitted, or managed in connection with Yale University activities, regardless of purpose, system, location, or format.[FJ1] 

Clarifying language

  • Includes institutional, research, clinical, academic, operational, and personal data
  • Includes data held in central systems, local systems, vendor platforms, and personal devices
  • All Yale Data is subject to Yale’s security, privacy[FJ2] [GK3] , risk, and classification requirements

Definition
 Institutional Data is the subset of Yale Data that is created, maintained, or used to support Yale’s administrative, operational, financial, and academic business functions.

Includes (nonexhaustive):

  • Human Resources, Finance, Budget, Facilities, Advancement, Alumni, Student Administration
  • Enterprise reporting and analytics
  • Research administration data (e.g., proposals, awards, compliance tracking), but not research data itself

Explicitly excludes:

  • Clinical data governed by healthcarespecific policies and regulations
  • Research data created or used in the conduct of research

Definition
 Research Data includes data collected, created, or used in the design, conduct, analysis, or reporting of research activities, regardless of funding source.

Research data is:

  • Governed by separate research policies, sponsor requirements, and compliance frameworks
  • Falls outside the operational scope of institutional data governance, but remains subject to security, privacy, and classification requirements

Definition
 Clinical Data includes data created or used in the delivery of clinical care, treatment, or healthcare operations, including PHI.

Clinical Data is:

  • Governed by healthcarespecific laws, regulations, and policies
  • Outside UDO’s institutional domain governance scope, but always subject to ISO, Privacy, and regulatory oversight

Definition
 A Data Domain is a logical grouping of related institutional data that supports a specific business or administrative function and is managed under shared governance, standards, and decision authority.

Key characteristics

  • Defined by business purpose, not by system
  • May span multiple systems or applications
  • Is assigned a Data Steward with decisionmaking authority

Definition
 A Data Steward is a Yaleappointed individual with ultimate responsibility and decisionmaking authority for a specific Data Domain.

Core responsibilities

  • Determines appropriate and inappropriate use of data in the domain
  • Approves access, sharing, and prioritization decisions
  • Ensures domain practices align with approved University policies and standards
  • Serves as the authoritative decisionmaker, with escalation paths when needed

Definition
 A Data Manager is a Subject Matter Expert (SME) designated by the Data Steward to support the operational management of data within a domain.Re

Core responsibilities

  • Manages daytoday data operations and data quality practices
  • Provides domain expertise on systems, definitions, and flows
  • Supports implementation of steward decisions
  • Acts as a primary point of contact for domain questions