Data Classifications and Protection Requirements at UC Irvine

Data Definitions

Information recoures are broken into three categories of risk: low, medium, and high. All information has some level of risk and a minimum level of protection requirements. There are categories of information which have higher levels of risk either because of the sensitive nature of the information (e.g. medical treatment information) or because of the value of the information (e.g. a name and social security number).

Information must be properly protected based on the value of the data and the likelihood that the data may be targeted for theft.

To achieve this, there are two general groups of data which are associated with the categories of risk:

• Sensitive Information ("Medium" risk)
• Restricted Information ("High" risk)

An easy-to-use matrix has been developed to find which protections controls are required for which level of risk: Protection Matrix

Sensitive Information ("Medium")

The term sensitive information applies broadly to information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University's reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.

Restricted Information ("High")

"Restricted data" is a particularly sensitive category of confidential data. UC defines restricted data as follows:

Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term should not be confused with that used by the UC-managed national laboratories where federal programs may employ a different classification scheme.

At UC Irvine, restricted data includes, but is not necessarily limited to

• Personal Identity Information (PII)
• Electronic protected health information (ePHI) protected by Federal HIPAA legislation
• Credit card data regulated by the Payment Card Industry (PCI)
• Records of students with a FERPA block in the campus directory
• Information relating to an ongoing criminal investigation
• Court-ordered settlement agreements requiring non-disclosure
• Information specifically identified by contract as restricted
• Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.

Personal Identity Information (PII)

Unencrypted electronic information that includes an individual's first name or initial, and last name, in combination with any one or more of the following:

• Social Security number (SSN)
• Drivers license number or State-issued Identification Card number
• Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password
• Personal medical information **
• Health insurance information

* Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard.

** Personal medical information is also regulated by HIPAA

Updated: February 02, 2010

Site Feedback