Restricted Data Resources Home  IT Security Awareness Restricted Data Resources
Definition and Selected References Relating to the Protection of Restricted and Confidential Data
Definitions
Confidential Data:
The term confidential data applies broadly to information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University’s reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.
Restricted Data:
"Restricted data" is a particularly sensitive category of confidential data. UC defines restricted data as follows:
Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term should not be confused with that used by the UC-managed national laboratories where federal programs may employ a different classification scheme.
At UCSC, restricted data includes, but is not necessarily limited to
Please follow the above links to the corresponsing sections below for additional information and links.
Personal Identity Information (PII):
Unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
Note: See the Personal Identity Information Resources page for a more detailed definition.
- Social Security number (SSN).
- Drivers license number or State-issued Identification Card number.
- Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password
- Personal medical information
- Health insurance information
*Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard. See below.
Risk Assessment Matrix
This protection matrix identifies protections for data according to the level of sensitivity of that data. This tool identifies protections that should be in place according to law and policy in order to help data owners assess whether current (or, for a new system, planned) protections are adequate or may require remediation or re-thinking.
Guidelines for Protecting Restricted Data
- UCSC's "Quick-Reference" of practices for protecting electronic restricted data provides a mostly-non-technical list of practices for protecting sensitive data.
- A more comprehensive set of practices for protecting electronic restricted data is also availlable, including additional responsibilities for Managers and Service Providers.
- UC Business and Finance Bulletin IS-3, Electronic Information Security is a comprehensive Electronic Information Security policy and set of guidelines designed to reduce risks related to maintaining the integrity of electronic information resources. BFB IS-3 applies to all UC campuses and facilities, as well as to their vendors, contractors and business partners. BFB IS-3
Personal Identity Information (PII)
The "UCSC Implementation Plan for Protection of Electronic Personal Identity Information" (PII), implemented on June 26, 2003, identifies roles and responsibilities with respect to the protection of PII data and reporting of breaches. It also details UCSC's incident response plan and the support structure for handling security incidents. Credit card information also falls within the scope of this Implementation Plan. UCSC PII Implementation Plan
More information about PII, including a detailed definition, can be found on the Personal Identity Information Resources page.
- State Law:
California Civil Code 1798.29: California Information Practices Act, Accounting of Disclosures (AKA SB-1386 California, Privacy of Personal Information to Prevent Identity Theft), requires mandatory notice to the subject of an unauthorized, unencrypted electronic disclosure of "personal information." California Civil Code
Electronic Protected Health Information (ePHI & HIPAA)
- HIPAA Information and educational resources at UC Office of the President (UCOP). HIPAA
- California Civil Code 1798.81.5: California Information Practices Act, Consumer Records , outlines the definition of and required protections for protected health information. This applies to health information that is not subject to
HIPAA. California Civil Code.
Credit Card Data
- Payment Card Industry Data Security Standard: Payment Card Industry (PCI) Data Security Requirements which apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all "system components" which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. PCI Data Security Standards
- Payment Card Industry Self-Assessment Questionnaire: Questionnaire designed to determine compliance with the Payment Card Industry Data Security Standard. PCI Questionnaire
Student Records Protected by FERPA (The Federal Family Educational Rights and Privacy Act of 1974)
- See the "UCSC Policy on Privacy of Student Records: A Quick Reference" and the "UCSC Administrative Procedures Applying to Disclosure of Information from Student Records"on the Registrar's web site for information and links.
Note: All individuals who have access to student records are charged with upholding their privacy in accordance with FERPA. Employees are expected to review the Quick Reference and FAQs about privacy of student information and take the Registrar's online FERPA Quiz.
UCSC Access to Information Statement
All UCSC employees must read and sign the "University Administration Information System Access to Information Statement" prior to obtaining access to University restricted data in central campus systems. This Access to Information Statement outlines the rules governing access to protected information at UCSC. Access to Information Statement
Contract Language
If you are planning a contract that will provide a third party (e.g. contractors and consultants) with sensitive information, or access to UCSC systems or applications that contain sensitive information, be sure to inform Purchasing or Business Contracts so the appropriate data security contract language can be included in the agreement.
It is also strongly recommended that you ensure the vendor has read this contract language in their contractual terms and conditions to ensure they understand their obligations under it.
Additional information and a signable version of the data security contract language (Appendix DS) are available online. Third Party Access to Sensitive Data
Getting Help
For questions about Restricted Data, or any of these requirements or resources, contact the ITS Service Manager for Community and Compliance at itpolicy@ucsc.edu or (831) 459-2779.
Rev. 2/23/09
|
