This Practice Directive sets forth the guidelines and best practices for safeguarding SF State confidential data.
- What is Confidential Data?
- Data Classifications
- Personal Identity Information (PII)
- Student Information
- Applicant Information
- Credit Cards
As state and federal laws evolve, a number of formal and informal categorizations of data have emerged which dictate whether singular or combined data elements now are considered "confidential." Various terms may be used depending on the legislation applicable to the state or entities in which the data is held or exchanged with other entities. For further information, review the data clasifications.
Level 1: Confidential
Confidential Information is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Confidential information is information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU’s reputation, and legal action could occur. Level 1 information is intended solely for use within the CSU and limited to those with a “business need-to-know.” Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the University is governed by specific standards and controls designed to protect the information.
Encryption Recommended: If Level 1 information is lost, stolen or accessed by unauthorized individuals, it typically requires a formal breach notification to impacted individuals under state and federal law. Level 1 information stored on a system must be encrypted in CA to avoid a breach notification.
There needs to be justification or alternative risk mitigation for not encrypting Level 1 data. If Level 1 data is unencrypted, a Risk Acceptance Form must be completed by the Associate Vice President/Dean and the Data Owner whose Level 1 data is unencrypted. A completed signed copy of the Risk Acceptance form should be sent via email to the Information Security Officer, Associate Vice President & Chief Technology Officer, Information Technology Services (ITS) and Associate Vice President, Enterprise Risk Management.
- Passwords or credentials
- PINs (Personal Identification Numbers)
- Birth date combined with last four digits of SSN and name
- Credit card numbers with cardholder name
- Tax ID with name
- Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
- Social Security number and name
- Health insurance information
- Medical records related to an individual
- Psychological Counseling records related to an individual
- Bank account or debit card information in combination with any required security code access code, or password that would permit access to an individual's financial account
- Biometric information
- Electronic or digitized signatures
- Private key (digital certificate)
- Attorney/client communications
- Legal investigations conducted by the University
- Third-party proprietary information per contractual agreement
- Sealed bids
Level 2: Internal Use
Encryption Recommended: Level 2 information subject to review should not be released except by designated units. Non-directory educational information may not be released except under certain prescribed conditions.
Identity Validation Keys (name with)
- Birth date (full: mm-dd-yy)
- Birth date (partial: mm-dd only)
Student Information-Educational Records - excludes directory information) including:
- Courses taken
- Test Scores
- Advising records
- Educational services received
- Disciplinary actions
- Non-directory student information may not be released except under certain prescribed conditions
Employee Information Including:
- Employee net salary
- Employment history
- Home address
- Personal telephone numbers
- Personal email address
- Employee evaluations
- Background investigations
- Mother’s maiden name
- Race and ethnicity
- Parents and other family members names
- Birthplace (City, State, Country)
- Marital Status
- Physical description
- Library circulation information.
- Trade secrets or intellectual property such as research activities
- Location of critical or protected assets
- Licensed software
Level 3: Public
Encryption not required: Information that is generally regarded as publicly available. Information at this level is either explicitly defined as public information or intended to be available to individuals both on and off campus or not specifically classified elsewhere in this standard. Knowledge of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets. Level 3 information may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure. Publicly available data may still subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
Campus Identification Keys
- Campus identification number (SF State ID)
- User ID (do not list in a public or a large aggregate list where it is not the same as the student email address)
- Student Information
- Educational directory information (FERPA)
Employee Information (including student employees)
- Employee Title
- Status as student employee (such as TA, GA,ISA)
- Employee campus email address
- Employee work location and telephone number
- Employing department
- Employee classification
- Employee gross salary
- Name (first, middle, last) (except when associated with protected data)
- Signature (non-electronic)
PII is defined by California State Law as unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
- Social Security number (SSN).
- Drivers license number or State-issued Identification Card number.
- Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account.
- Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
- Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records)
PII applies to any individual in the state of California whether SFSU staff, faculty, employee, student or applicant.
California State Law (Civil Code 1798.29) requires that Personal Identity Information (PII) is appropriately protected and that affected individuals must be notified of any reasonable suspicion of a compromise of that protection.
What Do I Need to Do?
In general, the best way to protect PII is not to have it in the first place.
Three overarching data management practices for individuals who work with this type of information are:
When access to files containing sensitive data is necessary, such data should be stored on protected servers behind the campus firewall and viewed over secure network connections when needed. Sensitive data should not be stored on local laptops or desktops where it is vulnerable in cases of equipment theft or via malicious software such as spyware or trojans.
If you must store or save this information on a desktop or mobile laptop it should be encrypted and the machine protected from malware. For information on how to secure and encrypt data on your computing platform, please see the sections on Securely Removing or Encrypting Sensitive Data.
- Securely delete PII when there is no longer a business need for its retention on computing systems. (This includes extra copies, backups and data that has exceeded its required retention period.) For a schedule of retention periods, please see the Retention Policy section of Student Rights Policy & Procedure
- Always shred or otherwise destroy PII before disposing of it. For information on how to securely delete files, see the Computer Security Guide.
If the device storing the data is lost or stolen you must contact the issuing department immediately AND report the incident to Information Security at 415-338-3018.
Personally identifiable information (PII) is a term used in SFSU Student Rights & Procedure Policy and pre-dates California Civil Code 1798.29 and its use of the term PII. SFSU Personally Identifiable Information may be contained in a student education record as information which enables another party to personally identify the student whose record is being reviewed. Personally identifiable information includes, but is not limited to:
- The student’s name
- The name of the student's parent, or other family member
- The address of the student or student’s family
- A personal identifier, such as the student's social security number or student number, PAC (Personal Access Code) number or handwritten signature
- A list of personal characteristics that would make the student's identity easily traceable
- Other information which would make the student's identity easily traceable.
The following student directory information is not considered confidential, however students may request that their record be restricted:
- student name
- email address
- major field(s) of study
- dates of attendance
- class or student level
- enrollment status (e.g., undergraduate or graduate, full-time or part-time)
- degrees awarded
- honors and awards received
To replace the use of Social Security Numbers (SSN) and establish another unique identifier, a University Identification Numbers (UIN) or "SFSU ID" number was established. UINs or SFSU Ids can be used to identify an individual and their participation in the SFSU community, but cannot be publicly posted or displayed in a manner which may identify the individual associated with the id.
FERPA The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects student education records. Besides allowing access to records by parents or guardians or to review for accuracy, FERPA has this privacy characteristics:
- Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record.
What Do I Need to Do?
To replace the use of Social Security Numbers (SSN) and establish another unique identifier, a University Identification Numbers (UIN) or "SFSU Id" number was established. UINs or SFSU Ids can be used to identify an individual and their participation in the SFSU community, but cannot be publicly posted or displayed in a manner which may identify the individual associated with the id.
All personally identifiable information not included as directory information is confidential and shall be disclosed by the University only with the written permission of the student or exceptionally as required by FERPA.
Inquiries concerning students should be referred to the Registrar's Office:
- (415) 338-2350
- Registrar Contact Form
For greater detail and guidance on FERPA, please refer to SFSU Student Rights & Procedure Policy
This is likely to be the same or a subset of student personally identifiable information or information deemed confidential under CA State Civil Code as PII.
Technically, the CA Civil Code only applies to residents of California and FERPA only applies to students. As a matter of policy, San Francisco State University does not release personally identifiable information about applicants.
What Do I Need to Do?
Treat the information the same as designated students. As a matter of policy, San Francisco State University does not release personally identifiable information about applicants.
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
The standard has evolved and is also known under the names of PCI DSS, Payment Card Industry Standard, PCI Standard, and PCI Data Security Standard.
Independent of the Credit Card company guidelines, this information may also be covered under California State Law (Civil Code 1798.29) where a credit card is stored in conjunction with an individual's first name or initial and last name.
What Do I Need to Do?
In general, to avoid complex PCI DSS compliance and potential reportable loss events under California State Law, Civil code 1798.29, you should not store credit cards with an individual's first name or first initial and their last name.
If you have to possess or retain such information, see the section above on securing PII (above) and refer to the compliance requirements dictated by the Payment Card Industry Data Security Standard Website.
SFSU uses payment gateways such as EPOS, Touchnet and RegOnline to limit the storing and processing of credit card and consumer based data. Any new deployment or re-engineering effort should likewise use these gateways to prevent the storage of credit card data on SFSU systems.
Responsibility for implementing this Practice Directive will rest with Information Technology Services (ITS) and Information Technology (IT) departments across campus. Submit any apparent violation of Confidential Data Practice Directive to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to firstname.lastname@example.org.
Noncompliance with applicable policies and/or practices may result in suspension of network access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.