Restricted Data Resources
Definitions and Selected References Relating to the Protection of Restricted and Confidential Data
- Definitions: Restricted and Confidential Data, PII
- Protecting Restricted Data
- Protection Matrix
- Personal Identity Information (PII)
- Electronic Protected Health Information (ePHI & HIPAA)
- Credit Card Data
- Student Records Protected by FERPA (The Federal Family Educational Rights and Privacy Act of 1974)
- UCSC Access to Information Statement
- Contract Language
- Getting Help
The term confidential data applies broadly to information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University’s reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.
"Restricted data" is a particularly sensitive category of confidential data. UC defines restricted data as follows:
Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term should not be confused with that used by the UC-managed national laboratories where federal programs may employ a different classification scheme.
At UCSC, restricted data includes, but is not necessarily limited to
- Personal Identity Information (PII)
- Electronic protected health information (ePHI) protected by Federal HIPAA legislation
- Credit card data regulated by the Payment Card Industry (PCI)
- Information relating to an ongoing criminal investigation
- Court-ordered settlement agreements requiring non-disclosure
- Information specifically identified by contract as restricted
- Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.
Please follow the above links to the corresponsing sections below for additional information and links.
Personal Identity Information (PII):
Unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
Note: See the Personal Identity Information Resources page for a more detailed definition.
- Social Security number (SSN).
- Drivers license number or State-issued Identification Card number.
- Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password
- Personal medical information
- Health insurance information
*Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard. See below
- Practices for protecting electronic restricted data
- UC Business and Finance Bulletin IS-3, Electronic Information Security is a comprehensive Electronic Information Security policy and set of guidelines designed to reduce risks related to maintaining the integrity of electronic information resources. BFB IS-3 applies to all UC campuses and facilities, as well as to their vendors, contractors and business partners.
- IS-3 Assessment Template (xls. download)
This protection matrix identifies protections for data according to the level of sensitivity of that data. This tool identifies protections that should be in place according to law and policy. The purpose of this matrix is to help data owners assess whether current (or, for a new system, planned) protections are adequate or may require remediation or re-thinking.
- UCSC Policy: PII Inventory and Security Breach Procedures
More information about PII, including a detailed definition, can be found on the Personal Identity Information Resources page. A training page is also available.
- State Law: California Civil Code 1798.29: California Information Practices Act, Accounting of Disclosures (AKA SB-1386 California, Privacy of Personal Information to Prevent Identity Theft) -- requires mandatory notice to the subject of an unauthorized, unencrypted electronic disclosure of "personal information."
- California Civil Code 1798.81.5: California Information Practices Act, Consumer Records , outlines the definition of and required protections for protected health information. This applies to health information that is not subject to HIPAA.
- Payment Card Industry Data Security Standard (PCI DSS): The PCI DSS applies to all Members, merchants, and service providers that store, process or transmit credit cardholder data.
- Payment Card Industry Self-Assessment Questionnaire: Questionnaire designed to determine compliance with the Payment Card Industry Data Security Standard.
- UCSC Policy on Privacy of Student Records: A Quick Reference
- UCSC Administrative Procedures Applying to Disclosure of Information from Student Records
(Registrar's web site)
Note: All individuals who have access to student records are charged with upholding their privacy in accordance with FERPA. Employees are expected to review the Quick Reference and FAQs about privacy of student information and take the Registrar's online FERPA Quiz.
All UCSC employees must read and sign the University Administration Information System Access to Information Statement prior to obtaining access to University restricted data in central campus systems. This Access to Information Statement outlines the rules governing access to protected information at UCSC.
If you are planning a contract that will provide a third party (e.g. contractors and consultants) with sensitive information, or access to UCSC systems or applications that contain sensitive information, be sure to inform Purchasing or Business Contracts so the appropriate data security contract language can be included in the agreement.
It is also strongly recommended that you ensure the vendor has read this contract language in their contractual terms and conditions to ensure they understand their obligations under it.
Encryption can dramatically reduce the risks associated with stored restricted data, and especially PII. Encryption comes with tradeoffs, however. In general, if you lose or forget your encryption key/password, you will lose your encrypted data. Because of this, encryption is considered an at-your-own-risk option. Encrypting local, non-authoritative copies of restricted data that is also stored securely elsewhere is less risky. Work with ITS to determine if encryption is an appropriate option for you. Also see: http://its.ucsc.edu/security_awareness/encryption.php
Reviewed April 2013