What is Confidential Data?

What is Confidential Data?

Data or information that is protected by laws, regulations or industry standards is considered confidential. In addition, confidential data can also be defined as information that could cause harm to an individual or an organization if it is inappropriately accessed.

Personally Identifiable Information (PII) is a term used to describe information relating to an identified or identifiable natural person, usually in the form of data elements that describe or can be linked to the individual. PII can be confidential or public, so it’s important to know how the data is classified. 

The CSU has established classifications and examples of data elements to make it easier to determine what type of information needs to be protected and the type of protection required. More information on CSU data classifications can be found at https://calstate.policystat.com/ (use the following search term on the CSU Policy website: 8065.S02 Information Security Data Classification Standard.)

SF State has published a Practice Directive and a quick reference below that includes: 

  • Data classification levels,
  • Examples of the types of elements in each classification level, and
  • Guidance on how to protect information

Level 1 Confidential

Disclosure Level: Level 1 data is exempt from disclosure under the provisions of the California Public Records Act or other applicable state/federal laws
Potential Damage: The unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of Level 1 data could result in severe damage to the CSU, its students, employees, or customers
Intended Use: Solely for use within the CSU and limited to those with a “business need-to-know”
Encryption: Required

Some common examples of Level 1 information:  

  • Social security number with name
  • Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information
  • Health insurance information
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in California Civil Code Section 1798.90.5
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account.

Level 2 Internal Use

Disclosure Level: Level 2 data is restricted from disclosure but not exempt by laws, regulations or standards
Potential Damage:  The unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of Level 2 data could cause financial loss, damage to the CSU’s reputation, violate an individual’s privacy rights, or make legal action necessary
Intended Use: Business use only; focusing on proprietary, ethical, contractual or privacy considerations
Encryption: Recommended

Some common examples of Level 2 information:   

  • Identity Validation Keys (name with) 

o   Birth date (full: mm-dd-yy)

o   Birth date (partial: mm-dd only)

o   Non-directory student information may not be released except under certain prescribed conditions

  • Employee Information 

o   Net salary 

o   Employment history 

o   Employee evaluations

o   Background investigations

o   Parents and other family members names

  • Other 

o   Library circulation information

o   Trade secrets or intellectual property such as research activities

o   Location of critical or protected assets

o   Licensed software

o   Third-party proprietary information per contractual agreement 

o    Sealed bids until unsealed

Level 3 Public

Disclosure Level: Level 3 data is not exempt from disclosure under the provisions of the California Public Records Act or other applicable state/federal laws
Potential Damage: Knowledge of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets 
Intended Use: Business use
Encryption: Not required

Some common examples of Level 3 information:   

  • Campus identification number (SF State ID) 
  • User ID 

o   Do not list in a public or a large aggregate list 

o   Employee Title

o   Status as student employee (such as TA, GA,ISA)

o   Employee campus email address

o   Employee work location and telephone number

o   Employing department

o   Employee classification

o   Employee gross salary

o   Name (first, middle, last) (except when associated with protected data)

o   Signature (non-electronic)

  • Unsealed bids

Guidance for Protecting Information

In general, the best way to protect Level 1 information is to not collect it or store it. Always consider collecting the least amount of PII or confidential information required to meet the business purpose and only store/maintain it for the period necessary. Always securely delete or shred Level 1 information.

Tips for Managing Level 1 Information

  1. Level 1 Information should only be stored on a repository that has been approved for storing Level 1 Data, such as: SF State Secure Share Drives, DocuSign or designated Level 1 Box folders
  2. Level 1 data should not be stored on local laptops or desktops where it is vulnerable to equipment theft, malicious software such as spyware/ransomware, or corruption
  3. If a device storing level 1 data is lost or stolen you must contact the issuing department immediately AND report the incident to ITS Service Desk at service@sfsu.edu or 415-338-1420
  4. Still have questions on data classifications or security protections?  Submit a ServiceNow Request to consult with the Information Security Team here:  https://sfsu.service-now.com/nav_to.do?uri=%2Fcom.glideapp.servicecatalog_cat_item_view.do%3Fv%3D1%26sysparm_id%3D2e9e77aedb5a081081fd16994b9619eb%26sysparm_link_parent%3D848ac4b0db69eb408fc9ce6139961969%26sysparm_catalog%3Df73da38bdb516b4009533672399619c6%26sysparm_catalog_view%3Dcatalog_information_technology_services%26sysparm_view%3Dcatalogs_default