What is Protected Information?
"Protected information" is an umbrella term for information that is linked to an individual person's identity, such as Social Security numbers, drivers' license data, and credit card or bank account information (sometimes called Personally-Identifiable Information, or PII) and which can be used to facilitate identity theft. Universities in particular have become attractive targets for hackers because of the freedom with which information is exchanged in an educational environment. Chico State University, like other institutions, is legally required to be vigilant and proactive in the protection of PII that's been entrusted to us.
Data Classification and Protection Standards
Data Classification and Protection Standards have been developed by CSU, Chico to classify various types of information as outlined below:
- Level 1 protected data: Confidential information governed by existing law or statute such as Social Security numbers and names, credit card numbers with cardholder names, or medical records related to an individual.
- Level 2 private data: Internal use information that must be protected due to ethical or privacy concerns such as student grades, courses taken, or disciplinary actions.
- Level 3 public (not protected) data: General information such as a person's title, email address, or other directory information that is available in the public domain.
Detecting Protected Information
The University is required to inventory protected information stored on campus systems. Beginning fall 2014, the campus will provide tools to help locate, protect, or delete confidential Level 1 protected data stored on University computers.
Handling Protected Data
If you find protected data on a system under your control, the following options are available to you:
- If it no longer meets a business need - destroy it
- Paper Shredding Guidelines
- If it needs to be kept - move it to a secure and labeled CD or other offline location, or to a secure server, and ensure that it is encrypted.
- If the protected data is not essential to the document containing that data, edit it to remove the sensitive data
- Protected Data: Online Cloud Storage and Email
Remember that CSU, Chico protected data may only be kept on campus systems.
Keeping Protected Data
Level 1 or Level 2 data may only be kept on a system if it meets the following conditions: