Types of Restricted Data
On this page:
- Confidential Information: The term “confidential information” applies broadly to information for which unauthorized access or disclosure could result in an adverse effect. To address this risk, some degree of protection or access restriction may be warranted.
- Restricted Information or Data: "Restricted information" is UC's term for the most sensitive confidential information. Restricted information or data is any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.
- Personal Identity Information (PII)
- Electronic protected health information (ePHI) protected by Federal HIPAA legislation
- Credit card data regulated by the Payment Card Industry (PCI)
- Passwords providing access to restricted data or resources
- Information relating to an ongoing criminal investigation
- Court-ordered settlement agreements requiring non-disclosure.
- Information specifically identified by contract as restricted.
- Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.
Definitions and reference information follow.
Individuals with access to restricted data should, and in some cases are required to, read and sign the UCSC Access to Information Statement (PDF). Return the signed form to the requester.
- Access to Information Statements required for access to campus systems go to the ITS Support Center (mailstop: ITS-Kerr).
- Forms required by a department should be filed according to departmental procedures.
- Personal identity information (PII) is the electronic manifestation of an individual
first name or first initial, and last name, in combination with one or more of the following*:
- Social Security Number (SSN)
- Driver's license number, or State-Issued ID card #
- Account number, credit or debit card number
- Medical information
- Health insurance information
Personal Identity Information (PII) is Protected by State Law
- State Law: California Civil Code (1798.29 requires us to notify people if their unencrypted PII is disclosed without authorization.
- UCSC Policy: UCSC PII Inventory and Security Breach Procedures
- ITS Policy regarding storage and transmission of PII: http://its.ucsc.edu/policies/pii.html
- UCSC PII Resources: http://its.ucsc.edu/security/stay-secure/restricted/pii.html
- Patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media. Examples include:
- Medical record number, account number or SSN
- Patient demographic data, e.g., address, date of birth, date of death, sex, email / web address
- Dates of service, e.g., date of admission, discharge
- Medical records, reports, test results, appointment dates
- Special training is required for people who access ePHI. Contact your department for more information.
Electronic Protected Health Information (ePHI) is protected by State and Federal Laws
- State Laws: California Civil Code 1798.81.5: California Information Practices Act, Consumer Records, outlines the definition of and required protections for protected health information.
- Federal Laws: HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations.
- HIPAA Information at UCSC: http://its.ucsc.edu/policies/hipaa.html
- HIPAA Information at UCOP: http://www.universityofcalifornia.edu/hipaa/welcome.html
Credit card information is regulated by the Payment Card Industry (PCI) Data Security Standard (DSS).
Description of the PCI Standard
- The PCI DSS is a set of security requirements developed by credit card companies to ensure consistent data security measures for sensitive credit cardholder data. These requirements apply to anyone who stores, processes, transmits or otherwise has access to credit cardholder data. It also applies to all system components included in or connected to or the cardholder data environment.
- System components include network components, servers or applications.
- Special training is required for people with access to credit cardholder data. For information see: http://financial.ucsc.edu/Pages/Introduction_PCI_DSS.aspx
Payment Card Industry (PCI) Data Security Standard References
- PCI Compliance at UCSC: http://its.ucsc.edu/policies/pci.html
- Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/security_standards/index.php
- Payment Card Industry Self-Assessment Questionnaire: Questionnaire designed to determine compliance with the Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php
The disclosure of information from student records is governed by FERPA.
At UCSC, the Registrar is the authoritative office for FERPA. Refer to the Registrar's website for information about privacy requirements for student records, as well as related resources: http://registrar.ucsc.edu/records/privacy/
- Everyone with access to FERPA-protected data should review this website and complete the Registrar's FERPA quiz (also at the above link).
Student records protected by FERPA are actually protected by both Federal and State laws
- Federal & State Laws: The disclosure of information from student records is governed by FERPA and, in part, by the State of California Education Code.
- Potential consequences include legal or civil action and withdrawal of funds under any program administered by the Secretary of Education.
- Home address or home telephone number
- Personal information protected by anti-discrimination and information privacy laws such as:
- Ethnicity or Gender
- Date of birth
- Marital Status
- Religion or Sexual orientation
- Certain types of student records
- Exams, answer keys, and grade books
- Applicant information in a pending recruitment
- Information subject to a non-disclosure agreement, including research data, intellectual property (IP), patent information and other proprietary data
- Academic evaluations and letters of recommendation
- Responses to a Request for Proposal (RFP) before a decision has been reached
- Some kinds of personnel actions
- "Pre-decisional" budget projections for a campus department (can also be marked "Draft" or "Not for Distribution")
For information about protecting restricted data, see Practices for Protecting Electronic Restricted Data: A Quick Reference
Rev. June 2013