This content is viewable by Everyone


Know Your Role in Protecting UCSF Data

Institutional information – data – is increasingly becoming UCSF’s lifeblood and most critical asset.  Concurrently, data is growing enormously in complexity and volume while regulatory requirements are becoming ever more stringent.  With the onset of Artificial Intelligence and Large Language Models, this trend stands to increase. These factors have made the data management process progressively more important.

Everyone at UCSF has a role to play in protecting our data. UCSF 650-16 Addendum A - UCSF Roles and Responsibilities for Securing Institutional Information and IT Resources describes these roles and their key responsibilities. Everyone, at a minimum, is a “workforce member” and must adhere to UC Policy BFB-IS-3: Electronic Information Security and UCSF Policy 650-16: Information Security and Confidentiality. People and Units have additional responsibilities based on their role within the institution. For example, a unit that manages data like employee information, financial data, or medical records is an “Institutional Information Proprietor” and must assign the related responsibilities to individuals within the unit. Another example is a department that delivers a particular IT service, as they would then own the responsibilities of a “Service Provider.” Additional information to help you understand your responsibilities is available in the UCOP Quick Start Guide by Role.

Valuable guidance on how to use and manage your data is available on the UCSF Data Resources webpage. 


Data Security Lifecycle - Plan, Store, Use and Share, Destroy


Data Security Lifecycle

Proper oversight of data throughout its life cycle is critical to optimize its utility and minimize the potential for errors and breaches. Below are examples of questions that should be asked, and measures taken within each of the four phases pictured above.



Use and Share, Including Transmitting Data Electronically

  1. PHI:
  2. ePHI:
  3. Secure:
  4. [encrypt]


  • How long should the data be kept? Data should be stored in accordance with the UC Records Retention Schedule.
  • How is paper media destroyed? Secure disposal bins should be used. Your manager can order one from the vendor, Shred-it, by contacting their customer service at 1-800-MYSHRED (1-800-697-4733) or [email protected] and creating a requisition in BearBuy.
  • How is electronic media destroyed? Contact the IT Service Desk or call 415-514-4100. IT will collect and arrange for the destruction of any electronic media (hard drives, tapes, etc.) that contains restricted or sensitive data, including PII (personally identifiable information) and PHI (patient health information), free of charge. 
  • Can data be left in the cloud or in the possession of a third party after a project is completed? If your data is stored in a cloud-hosted environment or with a vendor, be sure to work with them to retrieve or properly dispose of your data. UCSF purchasing agreements have specific requirements for how vendors must handle disposition of UCSF data at the end of the agreement.

Take the quiz on protecting your data. Everyone who passes the quiz is entered to win one of six $50 Amazon Gift Cards.

 Additional Information