Sensitive Data

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Monday, April 19, 2010

Revised Date: 

Monday, July 15, 2024

Authority: 

ISO Domain 8: Asset Management Policy

Objective: 

This Policy defines requirements for safeguarding SF State confidential data.  

Definitions: 

Confidential Data

Data or information that is protected by laws, regulations or industry standards is considered confidential.  There are three levels of data classification (Level 1, Level 2, and Level 3) that the CSU has adopted regarding the level of security associated with particular types of information assets. The three levels described below are meant to be illustrative, and the list of examples of the types of data contained below is not exhaustive. Please note that this classification standard is not intended to be used to determine eligibility of requests for information under the California Public Records Act or HEERA. These requests should be analyzed by the appropriate legal counsel or administrator.

Level 1 Data (Confidential)

Information may be classified as “confidential” based on criteria including but not limited to:

  1. Disclosure exemptions - Information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
  2. Severe risk - Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU’s reputation, and legal action could occur.
  3. Limited use - Information intended solely for use within the CSU and limited to those with a “business need-to know.”
  4. Legal Obligations - Information for which disclosure to persons outside of the University is governed by specific standards and controls designed to protect the information.

Examples of Level 1 – Confidential information include but are not limited to:

  • Passwords or credentials that grant access to level 1 and level 2 data
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four digits of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information
  • Medical records related to an individual
  • Psychological Counseling records related to an individual
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
  • Biometric information
  • Electronic or digitized signatures
  • Private key (digital certificate)
  • Law enforcement personnel records
  • Criminal background check results
  • Attorney/client communications
  • Legal investigations conducted by the University 
  • Third-party proprietary information per contractual agreement 
  • Sealed bids

Level 2 Data (Internal Use)

Information may be classified as “internal use” based on criteria including but not limited to:

  1. Sensitivity - Information which must be protected due to proprietary, ethical, contractual or privacy considerations.
  2. Moderate risk - Information which may not be specifically protected by statute, regulations, or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to the CSU’s reputation, violate an individual’s privacy rights, or make legal action necessary.

Examples of Level 2 – Internal Use information include but are not limited to:

  • Identity Validation Keys (name with)

    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Photo (taken for identification purposes)
  • Student Information-Educational Records not defined as “directory” information, Typically:
  • Grades
  • Courses taken
  • Schedule
  • Test Scores
  • Advising records
  • Educational services received
  • Disciplinary actions
  • Non-directory student information
  • Employee Information

    • Employee net salary
    • Home address
    • Personal telephone numbers
    • Personal email address
    • Payment History
    • Employee evaluations
    • Pre-employment background investigations
    • Mother’s maiden name
    • Race and ethnicity
    • Parents’ and other family members’ names
    • Birthplace (City, State, Country)
    • Gender
    • Marital Status
    • Physical description
  • Other
    • Library circulation information.
    • Trade secrets or intellectual property such as research activities
    • Location of critical or protected assets
    • Licensed software
    • Vulnerability/security information related to a campus or system

Level 3 Data (General)

Data designated as ‘general” is publicly available and/or intended to be provided to the public. Information at this level requires no specific protective measures and disclosure of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s

Examples of Level 3 – General information include but are not limited to:

  • Campus Identification Keys

    • Campus identification number (SF State ID)
    • User ID (do not list in a public or a large aggregate list where it is not the same as the  student email address)
  • Student directory information
  • Educational directory information (FERPA)
  • Employee Information (including student employees)
    • Employee Title
    • Status as student employee (such as TA, GA,ISA)
    • Employee campus email address
    • Employee work location and telephone number
    • Employing department
    • Employee classification
    • Employee gross salary
    • Name (first, middle, last) (except when associated with protected data)
    • Signature (non-electronic)

Personal Identity Information (PII)

PII is defined by California State Law (Civil Code 1798.29) as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted.

  • Social security number.
  • Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical or Health insurance information.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account.

PII as defined by California Law is equivalent to Level 1 data.

Student Information

The SF State Student Privacy Rights Policy and Procedures handbook maintained by the Registrar’s Office also uses the term Personally Identifiable Information (PII) and this usage pre-dates California Civil Code 1798.29. The Registrar’s variant of PII includes, but is not limited to:

  • Student's name
  • Name of the student's parent, or other family member
  • Address of the student or student's family
  • A personal identifier, such as the student's social security number or student number, PAC (Personal Access Code) number or handwritten signature
  • A list of personal characteristics that would make the student's identity easily traceable
  • Other information which would make the student's identity easily traceable.

For the purposes of this policy we will refer to the above as Student Information.

Statement: 

SF State University Identification Number

To replace the use of Social Security Numbers (SSN) as a unique identifier the University Identification Numbers (UIN) or "SFSU ID" number was established. UINs or SFSU Ids can be used to identify an individual and their participation in the SFSU community, but cannot be publicly posted or displayed in a manner which may identify the individual associated with the id.

Asset Management

When Protected Level 1 and Level 2 data are transmitted electronically, they must be sent via a method that uses strong encryption. Likewise Level 1 and Level 2 data stored electronically must be encrypted using strong encryption methods as well as follow requirements defined by SF State’s Workstation Management Policy.

Information security incidents involving Level 1 or Level 2 data must follow the process spelled in in SF State’s Incident Management Policy. Level 1 and Level 2 information stored on a system must be encrypted in California to avoid a breach notification.

The following student Directory Information is not considered confidential, however students may request that their record be restricted:

  • student name
  • email address
  • major field(s) of study
  • dates of attendance
  • class or student level
  • enrollment status (e.g., undergraduate or graduate, full-time or part-time)
  • degrees awarded
  • honors and awards received
  • SFSU ID

Directory Information for student employees in CSU Collective Bargaining Unit 11 consists of the information noted above as well as: mailing address; telephone number, department employed; and student employee's status as a student employee (i.e., TA, GA, ISA).

All Student Information not included as directory information is confidential and shall be disclosed by the University only with the written permission of the student or exceptionally as required by FERPA. As a matter of policy, SFSU does not release Student Information belonging to applicants to the University.

Inquiries concerning students should be referred to the Registrar's Office.

Implementation

Responsibility for implementing this Policy will rest with Information Technology Services (ITS) and Information Technology (IT) departments across campus. Submit any apparent violation of Confidential Data Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.

Non-Compliance

Noncompliance with applicable policies and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.