Security / Policies > Safeguarding Information
What is Confidential Data?
As state and federal laws evolve, a number of formal and informal categorizations of data have emerged which dictate whether singular or combined data elements now are considered "confidential." Various terms may be used depending on the legislation applicable to the state or entities in which the data is held or exchanged with other entities:
Personal Identity Information, or PII
Credit Card Information
SFSU Student Information and Personally Identifiable Information
Applicant Information (not yet assigned SFSU ID or UID)
Return to Safeguarding Information
Personal Identity Information, or PII
"PII" is defined by California State Law as unencrypted electronic information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:
- Social Security number (SSN).
- Drivers license number or State-issued Identification Card number.
- Financial account number, credit card number*, or debit card number in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account.
- Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional)
- Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records)
PII applies to any individual in the state of California whether SFSU staff, faculty, employee, student or applicant.
Relevant Legislation
California State Law (Civil Code 1798.29) requires that Personal Identity Information (PII) is appropriately protected and that affected individuals must be notified of any reasonable suspicion of a compromise of that protection.
What Do I Need to Do?
In general, the best way to protect PII is not to have it in the first place.
Three overarching data management practices for individuals who work with this type of information are:
- When access to files containing sensitive data is necessary, such data should be stored on protected servers behind the campus firewall and viewed over secure network connections when needed. Sensitive data should not be stored on local laptops or desktops where it is vulnerable in cases of equipment theft or via malicious software such as spyware or trojans.
If you must store or save this information on a desktop or mobile laptop it should be encrypted and the machine protected from malware . For information on how to secure and encrypt data on your computing platform, please see the sections on Securely Removing or Encrypting Sensitive Data. - Securely delete PII when there is no longer a business need for its retention on computing systems. (This includes extra copies, backups and data that has exceeded its required retention period.) For a schedule of retention periods, please see the Retention Policy section of Student Rights Policy & Procedure
- Always shred or otherwise destroy PII before disposing of it. For information on how to securely delete files, see the following sections on Handling Paper Records and Destroying Media containing such data.
If the device storing the data is lost or stolen you must contact the issuing department immediately AND report the incident to Information Security at 415-338-3018.
Credit Card Information
Description
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
The standard has evolved and is also known under the names of PCI DSS, Payment Card Industry Standard, PCI Standard, and PCI Data Security Standard.
Relevant Legislation
Independent of the Credit Card company guidelines, this information may also be covered under California State Law (Civil Code 1798.29) where a credit card is stored in conjunction with an individual's first name or initial and last name.
What Do I Need to Do?
In general, to avoid complex PCI DSS compliance and potential reportable loss events under California State Law, Civil code 1798.29, you should not store credit cards with an individual's first name or first initial and their last name.
If you have to possess or retain such information, see the section above on securing PII (above) and refer to the compliance requirements dictated by the Payment Card Industry Data Security Standard Website.
SFSU uses payment gateways such as EPOS, Touchnet and RegOnline to limit the storing and processing of credit card and consumer based data. Any new deployment or re-engineering effort should likewise use these gateways to prevent the storage of credit card data on SFSU systems.
SFSU Student Information and Personally Identifiable Information
Description
"Personally identifiable information" is a term used in SFSU Student Rights & Procedure Policy and pre-dates California Civil Code 1798.29 and its use of the term PII. SFSU Personally Identifiable Information may be contained in a student education record as information which enables another party to personally identify the student whose record is being reviewed. Personally identifiable information includes, but is not limited to:
- The student’s name
- The name of the student's parent, or other family member
- The address of the student or student’s family
- A personal identifier, such as the student's social security number or student number, PAC (Personal Access Code) number or handwritten signature
- A list of personal characteristics that would make the student's identity easily traceable
- Other information which would make the student's identity easily traceable.
The following student directory information is not considered confidential, however students may request that their record be restricted:
- student name
- email address
- major field(s) of study
- dates of attendance
- class or student level
- enrollment status (e.g., undergraduate or graduate, full-time or part-time)
- degrees awarded
- honors and awards received
To replace the use of Social Security Numbers (SSN) and establish another unique identifier, a University Identification Numbers (UIN) or "SFSU ID" number was established. UINs or SFSU Ids can be used to identify an individual and their participation in the SFSU community, but cannot be publicly posted or displayed in a manner which may identify the individual associated with the id.
Relevant Legislation
FERPA The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects student education records. Besides allowing access to records by parents or guardians or to review for accuracy, FERPA has this privacy characteristics:
- Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record.
What Do I Need to Do?
To replace the use of Social Security Numbers (SSN) and establish another unique identifier, a University Identification Numbers (UIN) or "SFSU Id" number was established. UINs or SFSU Ids can be used to identify an individual and their participation in the SFSU community, but cannot be publicly posted or displayed in a manner which may identify the individual associated with the id.
All personally identifiable information not included as directory information is confidential and shall be disclosed by the University only with the written permission of the student or exceptionally as required by FERPA.
Inquiries concerning students should be referred to the Registrar's Office: (415) 338-2350, records@sfsu.edu.
For greater detail and guidance on FERPA, please refer to SFSU Student Rights & Procedure Policy
Applicant Information (not yet assigned SFSU ID or UID)
Description
This is likely to be the same or a subset of student personally identifiable information or information deemed confidential under CA State Civil Code as PII.
Relevant Legislation
Technically, the CA Civil Code only applies to residents of California and FERPA only applies to students. As a matter of policy, San Francisco State University does not release personally identifiable information about applicants.
What Do I Need to Do?
Treat the information the same as designated above. As a matter of policy, San Francisco State University does not release personally identifiable information about applicants.
