Protected Data
CSU Data Classification
Classification Descriptions and Examples
Level 1 – Confidential
Confidential Information is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Confidential information is information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result is severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU’s reputation, and legal action could occur.
Level 1 information is intended solely for use within the CSU and limited to those with a "business need-to know." Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 information to persons outside of the University is governed by specific standards and controls designed to protect the information.
Examples:
- Passwords or credentials
- PINs (Personal Identification Numbers)
- Birth date combined with last four digits of SSN and name
- Credit card numbers with cardholder name
- Tax ID with name
- Driver’s license number, state identification card, and other forms of national or international identification (such as passports, visas, etc.) in combination with name
- Social Security number and name
- Health insurance information
- Medical records related to an individual
- Psychological Counseling records related to an individual
- Bank account or debt card information in combination with any required security code, access code, or password that would permit access to an individual's financial account
- Biometric information
- Electronic or digitized signatures
- Private key (digital certificate)
- Vulnerability/security information related to a campus or system
- Attorney/client communications
- Legal investigations conducted by the University
- Third party proprietary information per contractual agreement
- Sealed bids
Level 2 – Internal
Internal use information is information which must be protected due to proprietary, ethical, or privacy considerations. Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of information at this level could cause financial loss, damage to the CSU’s reputation, violate an individual’s privacy rights, or make legal action necessary.
Non-directory educational information may not be released except under certain prescribed conditions. Non-directory student information may not be released except under certain prescribed conditions.
Examples:
- Identity Validation Keys (name with):
- Birth date (full: mm-dd-yy)
- Birth date (partial: mm-dd only)
- Student Information-Educational Records –(Excludes directory information) including:
- Grades
- Courses taken
- Schedule
- Test Scores
- Advising records
- Educational services received
- Disciplinary actions
- Employee Information Including:
- Employee net salary
- Employment history
- Home address
- Personal telephone numbers
- Personal email address
- Payment History
- Employee evaluations
- Background investigations
- Mother’s maiden name
- Race and ethnicity
- Parents and other family members names
- Birthplace (City, State, Country)
- Gender
- Marital Status
- Physical description
- Photograph
- Other:
- Library circulation information
- Trade secrets or intellectual property such as research activities
- Location of critical or protected assets
- Licensed software
Level 3 – Public
This is information that is generally regarded as publicly available. Information at this level is either explicitly defined as public information or intended to be available to individuals both on and off campus or not specifically classified elsewhere in this standard.
Knowledge of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets.Level 3 information may be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
Publicly available data may still subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
Examples:
- Campus Identification Keys
- Campus identification number
- User ID (do not list in a public or a large aggregate list where it is not the same as the student email address)
- Student Information
- Educational directory information (FERPA)
- Employee Information (including student employees)
- Employee Title
- Status as student employee (such as TA, GA, ISA)
- Employee campus email address
- Employee work location and telephone number
- Employing department
- Employee classification
- Employee gross salary
- Name (first, middle, last) (except when associated with protected data)
- Signature (non-electronic)