Restricted Data Resources

Definitions and Selected References Relating to the Protection of Restricted and Confidential Data


Definitions

Confidential Data:
The term confidential data applies broadly to information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University’s reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.

Restricted Data:
"Restricted data" is a particularly sensitive category of confidential data. UC defines restricted data as follows:

Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.  The term should not be confused with that used by the UC-managed national laboratories where federal programs may employ a different classification scheme.

At UCSC, restricted data includes, but is not necessarily limited to

Please follow the above links to the corresponsing sections below for additional information and links.

Personal Identity Information (PII):
Unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
Note: See the Personal Identity Information Resources page for a more detailed definition.

  • Social Security number (SSN).
  • Drivers license number or State-issued Identification Card number.
  • Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password
  • Personal medical information
  • Health insurance information

*Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard. See below


Protecting Restricted Data


Risk Assessment Matrix

This protection matrix identifies protections for data according to the level of sensitivity of that data. This tool identifies protections that should be in place according to law and policy. The purpose of this matrix is to help data owners assess whether current (or, for a new system, planned) protections are adequate or may require remediation or re-thinking.


Personal Identity Information (PII)

  • State Law: California Civil Code 1798.29: California Information Practices Act, Accounting of Disclosures (AKA SB-1386 California, Privacy of Personal Information to Prevent Identity Theft) -- requires mandatory notice to the subject of an unauthorized, unencrypted electronic disclosure of "personal information."

Electronic Protected Health Information (ePHI & HIPAA)

  • California Civil Code 1798.81.5: California Information Practices Act, Consumer Records , outlines the definition of and required protections for protected health information. This applies to health information that is not subject to HIPAA.

Credit Card Data


Student Records Protected by FERPA (The Federal Family Educational Rights and Privacy Act of 1974)

  • UCSC Policy on Privacy of Student Records: A Quick Reference  
  • UCSC Administrative Procedures Applying to Disclosure of Information from Student Records
    (Registrar's web site)

Note: All individuals who have access to student records are charged with upholding their privacy in accordance with FERPA. Employees are expected to review the Quick Reference and FAQs about privacy of student information and take the Registrar's online FERPA Quiz.


UCSC Access to Information Statement

All UCSC employees must read and sign the University Administration Information System Access to Information Statement prior to obtaining access to University restricted data in central campus systems. This Access to Information Statement outlines the rules governing access to protected information at UCSC.


Contract Language

Third Party Access to Sensitive Data / Appendix DS

If you are planning a contract that will provide a third party (e.g. contractors and consultants) with sensitive information, or access to UCSC systems or applications that contain sensitive information, be sure to inform Purchasing or Business Contracts so the appropriate data security contract language can be included in the agreement.

It is also strongly recommended that you ensure the vendor has read this contract language in their contractual terms and conditions to ensure they understand their obligations under it.


Encryption

Encryption can dramatically reduce the risks associated with stored restricted data, and especially PII. Encryption comes with tradeoffs, however. In general, if you lose or forget your encryption key/password, you will lose your encrypted data. Because of this, encryption is considered an at-your-own-risk option. Encrypting local, non-authoritative copies of restricted data that is also stored securely elsewhere is less risky. Work with ITS to determine if encryption is an appropriate option for you. Also see: http://its.ucsc.edu/security_awareness/encryption.php


Getting Help

Contact the ITS Support Center if you would like your computer configured to meet these requirements. If you have questions, contact the Support Center or your ITS Divisional Liaison.

Reviewed April 2013