Practices for Protecting Electronic P3-P4 Data
On This Page:
- Introduction
- General Practices for Protecting P3-P4 Data
- Best Practices for Protecting Any P3-P4 Data You Must Transmit or Store
- Additional Precautions When Storing P3-P4 Data
- P3-P4 Data in Disposed of and Reused Electronic Devices and Media
- Disaster Recovery and Emergency Procedures
- Third Party/Vendor Relationships
- Reporting Security Incidents
- Frequently Asked Questions
Introduction
All data and information created, received, and/or collected by UC (institutional information) must be protected from unauthorized access or disclosure. Everyone at UC Santa Cruz has a responsibility to protect university data under their jurisdiction or control.
This page includes practices for protecting all P3-P4 university data. There may be additional specific requirements for protecting some categories of university data, such as protected health information (PHI/HIPAA data), credit card information (PCI), and research data subject to specific federal or grant requirements.
While the best way to protect P3-P4 data is not to have it in the first place, this is not always possible. The following practices are designed to provide realistic, achievable ways to protect this information.
General Practices for Protecting P3-P4 Data
The following practices apply to all uses of P3-P4 data:
- Comply: Confirm you are complying with the UC Minimum Security Standard and other secure practices by following all steps under How to Stay Secure.
- Authorization: Be sure that you have proper authorization and training prior to accessing P3-P4 data (see FAQs below).
- Do Not Share: Never share or discuss P3-P4 data with unauthorized individuals.
- Safe storage: Store the minimum amount of P3-P4 data possible, and know where it is stored.
- Shred: Always shred physical documents with P3-P4 data when they are no longer needed.
- Delete: Securely delete P3-P4 data when there is no longer a business need for its retention.
- Read and sign UCSC's Access to Information Statement (required for all ITS staff).
Best Practices for Protecting Any P3-P4 Data You Must Transmit or Store
- Encrypt all P3-P4 data when it is transmitted or stored (required). This includes P3-P4 data that is online, remotely accessible, in emails, file transfers, and workstation/server communications, as well as P3-P4 data stored in a physical or virtual database, on a file server, or in an archival server.
- Use secure networks such as eduroam (on-campus) and campus VPN (off-campus) to transmit P3-P4 data.
- Keep P4 data out of the cloud.
- Avoid using public wireless networks and set devices to “ask” before joining new networks so you don’t unknowingly connect to unsecured wireless networks.
- Notify any recipients of P3-P4 data that the data requires security protections.
- Don't install unknown or unsolicited programs, such as toolbars or browser extensions, on your computer. These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.
Additional Precautions When Storing P3-P4 Data
- Be sure you know who has access to server folders before you put P4 data there. Confirm share settings in Google Drive before you put P3 data there.
- Don’t put sensitive information in locations that are accessible from the internet.
- Refrain from capturing P3-P4 data in screenshots.
- Design database systems so that P3-P4 data can be identified, and avoid using P3-P4 data elements as the "key" to a database.
P3-P4 Data in Disposed of and Reused Electronic Devices and Media
P3-P4 data must be destroyed or completely and securely removed from computers, electronic devices, and electronic media (including backups) before disposal, reuse, or reassignment.
Disaster Recovery and Emergency Procedures
In the event of a disaster or other emergency:
- All P3-P4 data must be backed up regularly to a secure location.
- Backup media containing P3-P4 data must be physically secure, encrypted, and transported securely.
- Be familiar with your department's or unit's disaster recovery plan and emergency operations procedures for the protection of P3-P4 data.
Third Party/Vendor Relationships
If you are planning a contract where a non-UCSC third party will access, collect, process, or maintain UC institutional information and/or access IT resources, the Appendix Data Security (DS) must be included as part of the contractual terms and conditions.
Reporting Security Incidents
Promptly report suspected or actual security violations. Any events involving P3-P4 data must be reported.
Frequently Asked Questions
What is P3-P4 data?
P3-P4 is especially sensitive information such as personally identifiable information (PII), protected health information, financial information and other institutional information that carries potential legal, financial, ethical, and safety implications if exposed to third parties. For a full description and a list of examples, see Protection Levels for UC Institutional Information.
How do I know if I am authorized to handle P3-P4 data?
Background checks and/or fingerprinting are required when hiring or reassigning individuals to critical positions that will require access to P3-P4 data. All employees whose jobs involve working with P3-P4 data should receive training on basic computer security awareness, security incident response, practices for protecting P3-P4 data, and relevant policy requirements. General training materials are available on the ITS Security Awareness Training page. Additional training may be required for access to specific regulatory protected data. For additional information, contact Staff Human Resources or the Academic Personnel Office.
How do I encrypt P3-P4 data?
If you need to send files containing P4 data, use the Virtru service to send them securely. Files containing P3 data can be stored and shared via Google Drive. Avoid standard (unencrypted) email and unencrypted instant messaging (IM). Sensitive information should not be sent through the campus email service.