Restricted Data

Defining Confidential and Restricted Information

  • Confidential Information: The term “confidential information” applies broadly to information for which unauthorized access or disclosure could result in an adverse effect. To address this risk, some degree of protection or access restriction may be warranted.
  • Restricted Information or Data: "Restricted information" is UC's term for the most sensitive confidential information. Restricted information or data is any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.

Examples of Restricted Data
(definitions and reference information follow)

  • Personal Identity Information (PII)
  • Electronic protected health information (ePHI) protected by Federal HIPAA legislation
  • Credit card data regulated by the Payment Card Industry (PCI)
  • Passport number
  • Passwords providing access to restricted data or resources
  • Information relating to an ongoing criminal investigation
  • Court-ordered settlement agreements requiring non-disclosure
  • Information specifically identified by contract as restricted
  • Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high

Access to Information Statement

Individuals with access to restricted data should, and in some cases are required to, read and sign the UCSC Access to Information Statement. This Access to Information Statement outlines the rules governing access to protected information at UCSC. 

Definitions of Selected Types of Restricted Data

Personal Identity Information (PII)

  • Personal identity information (PII) is the electronic manifestation of an individual's first name or first initial, and last name, in combination with one or more of the following*:
    • Social Security Number (SSN)
    • Driver's license number, or State-Issued ID card number
    • Financial account number, credit** or debit card number in combination with any required security code, access code, or password
    • Personal medical information
    • Health insurance information
    *Please note, this is a condensed list. For a complete definition please see our online glossary.
    **Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard. See below

Personal Identity Information (PII) is Protected by State Law and UC Policy

Electronic Protected Health Information (ePHI/HIPAA Data)

  • Patient health information which is computer based, e.g., created, received, stored, maintained, processed and/or transmitted in electronic media. Examples include:
    • Medical record number, account number or SSN
    • Patient demographic data, e.g., address, date of birth, date of death, sex, email / web address
    • Dates of service, e.g., date of admission, discharge
    • Medical records, reports, test results, appointment dates
  • Special training is required for people who access ePHI. Contact your department for more information.

Electronic Protected Health Information (ePHI) is protected by State and Federal Laws and UC Policy

Credit Card Data/PCI

Credit card information is regulated by the Payment Card Industry (PCI) Data Security Standard (DSS).

Description of the PCI Standard

  • The PCI DSS is a set of security requirements developed by credit card companies to ensure consistent data security measures for sensitive credit cardholder data. These requirements apply to anyone who stores, processes, transmits or otherwise has access to credit cardholder data. It also applies to all system components included in or connected to or the cardholder data environment.
    • System components include network components, servers, workstations, and applications.
  • Special training is required for people with access to credit cardholder data. For information see
    (ITS employees, see

Payment Card Industry (PCI) Data Security Standard References

FERPA: The Federal Family Educational Rights and Privacy Act of 1974

Most student records are not considered restricted data; they are considered confidential data. The disclosure of information from student records is governed by FERPA.

At UCSC, the Registrar is the authoritative office for FERPA. Refer to the Registrar's website for information about privacy requirements for student records, as well as related resources:

  • Everyone with access to FERPA-protected information is responsible for protecting its privacy in accordance with FERPA. Employees are expected to review the above website and complete the Registrar's FERPA quiz (also at the above link).

Student records protected by FERPA are protected by both Federal and State laws

  • Federal & State Laws: The disclosure of information from student records is governed by FERPA and, in part, by the State of California Education Code.
    • Potential consequences include legal or civil action and withdrawal of funds under any program administered by the Secretary of Education.

Examples of Other Types of Non-Restricted, Confidential Information

  • Home address or home telephone number
  • Personal information protected by anti-discrimination and information privacy laws such as:
    • Ethnicity or Gender
    • Date of birth
    • Citizenship
    • Marital Status
    • Religion or Sexual orientation
  • Certain types of student records
  • Exams, answer keys, and grade books
  • Applicant information in a pending recruitment
  • Information subject to a non-disclosure agreement, including research data, intellectual property (IP), patent information and other proprietary data
  • Academic evaluations and letters of recommendation
  • Responses to a Request for Proposal (RFP) before a decision has been reached
  • Some kinds of personnel actions
  • "Pre-decisional" budget projections for a campus department (can also be marked "Draft" or "Not for Distribution")

Protecting Restricted Data

  • Practices for protecting electronic restricted data
  • UC Business and Finance Bulletin IS-3, Electronic Information Security is a comprehensive Electronic Information Security policy and set of guidelines designed to reduce risks related to maintaining the integrity of electronic information resources. BFB IS-3 applies to all UC campuses and facilities, as well as to their vendors, contractors and business partners.
  • Protection Matrix: This protection matrix identifies protections for information according to its level of sensitivity. This tool identifies protections that should be in place according to law and policy. The purpose of this matrix is to help data owners assess whether current (or, for a new system, planned) protections are adequate or may require remediation or re-thinking.


Encryption can dramatically reduce the risks associated with stored restricted data, and especially PII.  ITS offers computer encryption service for UC managed desktops and laptops (Windows and Mac).  The Computer Encryption page describes what the service includes and how to get it.  Work with ITS to determine the appropriate encryption option for you. Also see:

Contract Language

Third Party Access to Sensitive Data / Appendix DS

If you are planning a contract that will provide a third party (e.g. contractors and consultants) with sensitive information, or access to UCSC systems or applications that contain sensitive information, be sure to inform Purchasing or Business Contracts so the appropriate data security contract language can be included in the agreement.

It is also strongly recommended that you ensure the vendor has read this contract language in their contractual terms and conditions to ensure they understand their obligations under it.


Protecting Restricted Data

Restricted data is any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.

Getting Help

If you have questions or need assistance, please contact the ITS Support Center or your ITS Divisional Liaison.