Information resources are broken into three categories of risk: low, medium, and high. All information has some level of risk and a minimum level of protection requirements. There are categories of information which have higher levels of risk either because of the sensitive nature of the information (e.g. medical treatment information) or because of the value of the information (e.g. a name and social security number).
Information must be properly protected based on the value of the data and the likelihood that the data may be targeted for theft.
To achieve this, there are two general groups of data which are associated with the categories of risk:
- Sensitive Information ("Medium" risk)
- Restricted Information ("High" risk)
The term sensitive information applies broadly to information for which access or disclosure may be assigned some degree of sensitivity, and therefore, for which some degree of protection or access restriction may be warranted. Unauthorized access to or disclosure of information in this category could result in a serious adverse effect, cause financial loss, cause damage to the University's reputation and loss of confidence or public standing, constitute an unwarranted invasion of privacy, or adversely affect a partner, e.g., a business or agency working with the University.
"Restricted data" is a particularly sensitive category of confidential data. UC defines restricted data as follows:
Any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. The term should not be confused with that used by the UC-managed national laboratories where federal programs may employ a different classification scheme.
At UC Irvine, restricted data includes, but is not necessarily limited to
- Personal Identity Information (PII)
- Electronic protected health information (ePHI) protected by Federal HIPAA legislation
- Credit card data regulated by the Payment Card Industry (PCI)
- Records of students with a FERPA block in the campus directory*
- Export Controlled data
- Information relating to an ongoing criminal investigation
- Court-ordered settlement agreements requiring non-disclosure
- Information specifically identified by contract as restricted
- Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.
* Student data classification issues should be in consultation with the Registrar's FERPA Analyst
Electronic information that includes:
1) an individual's first name or initial, and last name, in combination with any one or more of the following:
- Social Security number (SSN)
- Drivers license number or State-issued Identification Card number (including Passport)
- Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password
- Personal medical information **
- Health insurance information
- Information or data collected through the use/operation of an automated license plate recognition system
or 2) User name or email address with password or security question and answer that would permit access to an online account
* Credit card information is also regulated by the Payment Card Industry (PCI) Data Security Standard.
** Personal medical information is also regulated by HIPAA