This Data Use Policy (the “Policy”) outlines the framework, roles, responsibilities, and procedures for the access, use, and management of data, particularly residency application data, within the institution. The purpose is to ensure responsible data stewardship, privacy compliance, and the ethical use of sensitive information.
This Policy applies to all staff, faculty, reviewers, researchers, and administrative personnel who access, manage, or analyze CORD data.
Data Set — An organized collection of digital derived data. Such Data may include confidential or proprietary information, personally identifiable information, or Protected Health Information (PHI), all of which may be subject to various federal and / or state privacy and data protection laws and regulations, including the Family Educational Rights and Privacy Act (FERPA) and/or Health Insurance Portability and Accountability Act (HIPAA). For Data Sets to which access has been granted that include PHI, execution of a Business Associate Agreement may also be required.
Data User — The individual to whom access has been granted to the requested Data Set, including his or her immediate collaboration sphere, defined here as the institutions, partners, students, and staff members with whom the Data User collaborates, and with whom access must be granted, in order to fulfill the Data User's intended use of the Data Set.
Data Set Contact — The individual at CORD who authorizes the release of the Data Set to the Data User.
Data Set Creator — The individual(s) at CORD who is responsible for the collection or creation of the Data Set.
Sensitive Data - Data that includes personally identifiable information, PHI, protected academic records, or proprietary or confidential medical records that are not PHI.
Data Use Agreement (DUA): A formal agreement outlining the permitted use, sharing, and security of specific data sets.
IRB: Institutional Review Board overseeing human subject research compliance.
Access to data must be authorized through:
- A signed Data Use Agreement (DUA)
- Approval by the designated Data Set Contact
- IRB review and written approval if the use involves research
All requests must specify the data needed, purpose, necessary duration of use, and responsible individuals.
- Data must be used only for the approved purpose.
- No re-identification of anonymized data.
- No sharing of data without prior written approval.
- Use of encrypted systems and secure storage is mandatory.
- No publication or presentation may disclose identifiable information.
- Data may not be uploaded, submitted, or otherwise shared with public or third-party artificial intelligence (AI) platforms, including but not limited to generative AI tools, machine learning services, or large language model systems (e.g., ChatGPT, Claude, Gemini, or similar technologies).
- Access-controlled data storage systems must be used.
- Data must be encrypted at rest with access restricted to the Data User
- All users must complete data privacy and security training.
- Systems must support audit logging of data access.
- Data retention and destruction must adhere to DUA.
- Data Set Contact: Approves access, ensures policy enforcement.
- Data Set Creator and Data Governance Committee: Monitors adherence to legal and regulatory requirements.
- Requestor/User: Ensures ethical, legal, and data use in compliance with this Policy.
All suspected or actual breaches of the Policy must be reported to the Data Set Contact and Data Governance Committee. An investigation will be initiated within 5 business days and appropriate action taken in accordance with institutional policy.
This Policy will be reviewed annually by the Data Governance Committee and updated as necessary to reflect regulatory, institutional, and technological changes.
All individuals accessing CORD data must sign an acknowledgment form agreeing to adhere to this Policy and applicable Data Use Agreements.