Protected Data with Specific Regulatory Requirements

Definitions of Selected Types of Protected Data

  • Personally Identifiable Information (PII): Personally Identifiable Information (PII) is the electronic manifestation of an individual's first name or first initial, and last name, in combination with one or more of the following*:
    • Social Security Number (SSN)
    • Driver's license number, or State-Issued ID card number
    • Financial account number, credit** or debit card number in combination with any required security code, access code, or password
    • Personal medical information
    • Health insurance information
  • *Please note, this is a condensed list. For a complete definition please see our online glossary.
    **Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard. See below

Personally Identifiable Information (PII) is Protected by State Law and UC Policy

Electronic Protected Health Information (ePHI/HIPAA Data)

  • Patient health information which is computer based, e.g., created, received, stored, maintained, processed and/or transmitted in electronic media. Examples include:
    • Medical record number, account number or SSN
    • Patient demographic data, e.g., address, date of birth, date of death, sex, email / web address
    • Dates of service, e.g., date of admission, discharge
    • Medical records, reports, test results, appointment dates
  • Special training is required for people who access ePHI. Contact your department for more information.

Electronic Protected Health Information (ePHI) is protected by State and Federal Laws and UC Policy

Credit Card Data/PCI

Credit card information is regulated by the Payment Card Industry (PCI) Data Security Standard (DSS).

Description of the PCI Standard

  • The PCI DSS is a set of security requirements developed by credit card companies to ensure consistent data security measures for sensitive credit cardholder data. These requirements apply to anyone who stores, processes, transmits or otherwise has access to credit cardholder data. It also applies to all system components included in or connected to or the cardholder data environment.
    • System components include network components, servers, workstations, and applications.
  • Special training is required for people with access to credit cardholder data. For information see
    (ITS employees, see

Payment Card Industry (PCI) Data Security Standard References

FERPA: The Federal Family Educational Rights and Privacy Act of 1974

Most student records are not considered P4 data; they are considered P3 data. The disclosure of information from student records is governed by FERPA.

At UCSC, the Registrar is the authoritative office for FERPA. Refer to the Registrar's website for information about privacy requirements for student records, as well as related resources:

  • Everyone with access to FERPA-protected information is responsible for protecting its privacy in accordance with FERPA. Employees are expected to review the above website and complete the Registrar's FERPA quiz (also at the above link).

Student records protected by FERPA are protected by both Federal and State laws

  • Federal & State Laws: The disclosure of information from student records is governed by FERPA and, in part, by the State of California Education Code.
    • Potential consequences include legal or civil action and withdrawal of funds under any program administered by the Secretary of Education.

Getting Help

If you have questions or need assistance, please contact the ITS Support Center or your ITS Divisional Liaison.