Restricted Data Resources

Definitions and Selected References Relating to the Protection of Restricted and Confidential Data


Confidential Data:
The term confidential data applies broadly to information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in an adverse effect, cause financial loss, cause damage to the University’s reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.

Restricted Data:
"Restricted data" is a particularly sensitive category of confidential data. UC defines restricted data as follows:

Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. 

At UCSC, restricted data includes, but is not necessarily limited to:

Personal Identity Information (PII):

Unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
Note: See the Personal Identity Information Resources page for a more detailed definition.

  • Social Security number (SSN).
  • Drivers license number or State-issued Identification Card number.
  • Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password
  • Personal medical information
  • Health insurance information

*Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard. See below

Protecting Restricted Data

Protection Matrix

This protection matrix identifies protections for information according to its level of sensitivity. This tool identifies protections that should be in place according to law and policy. The purpose of this matrix is to help data owners assess whether current (or, for a new system, planned) protections are adequate or may require remediation or re-thinking.

Personal Identity Information (PII)

  • State Law: California Civil Code 1798.29: California Information Practices Act, Accounting of Disclosures (AKA SB-1386 California, Privacy of Personal Information to Prevent Identity Theft) -- requires mandatory notice to the subject of an unauthorized, unencrypted electronic disclosure of "personal information."

Electronic Protected Health Information (ePHI & HIPAA)

  • California Civil Code 1798.81.5: California Information Practices Act, Consumer Records , outlines the definition of and required protections for protected health information. This applies to health information that is not subject to HIPAA.

Credit Card Data

Student Records Protected by FERPA (The Federal Family Educational Rights and Privacy Act of 1974)

  • UCSC Policy on Privacy of Student Records: A Quick Reference  
  • UCSC Administrative Procedures Applying to Disclosure of Information from Student Records
    (Registrar's web site)

Note: All individuals who have access to student records are charged with upholding their privacy in accordance with FERPA. Employees are expected to review the Quick Reference and FAQs about privacy of student information and take the Registrar's online FERPA Quiz.

UCSC Access to Information Statement

All UCSC employees must read and sign the University Administration Information System Access to Information Statement prior to obtaining access to University restricted data in central campus systems. This Access to Information Statement outlines the rules governing access to protected information at UCSC.

Contract Language

Third Party Access to Sensitive Data / Appendix DS

If you are planning a contract that will provide a third party (e.g. contractors and consultants) with sensitive information, or access to UCSC systems or applications that contain sensitive information, be sure to inform Purchasing or Business Contracts so the appropriate data security contract language can be included in the agreement.

It is also strongly recommended that you ensure the vendor has read this contract language in their contractual terms and conditions to ensure they understand their obligations under it.


Encryption can dramatically reduce the risks associated with stored restricted data, and especially PII. Encryption comes with tradeoffs, however. In general, if you lose or forget your encryption key/password, you will lose your encrypted data. Because of this, encryption is considered an at-your-own-risk option. Encrypting local, non-authoritative copies of restricted data that is also stored securely elsewhere is less risky. Work with ITS to determine if encryption is an appropriate option for you. Also see:

Getting Help

Contact the ITS Support Center if you would like your computer configured to meet these requirements. If you have questions, contact the Support Center or your ITS Divisional Liaison.

Reviewed April 2014