UCSF_Data_Classification_Standard_08-09-19 (PDF)

Document Owner: Patrick Phelan
Department Contact: UCSF IT Security
Issue Date: 4/24/17
Effective Date: 4/24/17
Reviewed/Revised Date: 8/9/19

Purpose

The purpose of this Data Classification Standard is to direct the method for classifying UCSF’s electronic data. This document demonstrates UCSF’s determination of the Protection Levels of each classification of UCSF data in compliance with University of California Policy BFB-IS-3: Electronic Information Security.

Overview and Scope

This standard applies to all electronic data managed and owned by UCSF, wherever it may be stored. Data storage locations may include, but are not limited to, data centers, data accessed by or stored remotely on electronic devices, and UCSF data that is stored with contracted third parties including Business Associates, cloud service providers, vendors, contractors, and temporary staff.

This data classification methodology in no way supersedes any state or federal government classifications assigned contractually or otherwise.

UCSF electronic data shall be classified according to the , described in this standard. The Data Classification Model will be used to determine the appropriate data classification for UCSF electronic data created, maintained, processed, or transmitted utilizing electronic resources. Under this model data will be classified in accordance with external regulatory, internal regulatory, and other contractual requirements, and in accordance with the potential adverse impact of loss, theft, or unavailability of the data.

In the event a specific set of electronic data is classified as fitting within a combination of two or more of the data classifications, that data shall be managed according to the most restrictive and/or highest applicable data classification.

In the event a specific set of electronic data does not fit into the current Data Classification Model, please contact UCSF IT Security for the determination of the appropriate data classification. UCSF’s Data Classification Standard serves as a location-specific interpretation of UC system-wide policy and, therefore, supersedes many of the requirements of the UC Institutional Information and IT Resource Classification Standard, although the system-wide standard may be referenced for guidance on the classification of data types not documented within this location-specific model.

UCSF IT Governance shall review the Data Classification Standard at least annually and update as needed to include additional data types and reflect any changes to protection level classification or policy and legal requirements.

Business Impact

Considerations for evaluating the potential adverse business impact to UCSF due to loss or compromise of the electronic data’s confidentiality or integrity include:
• Loss of critical UCSF operations
• Negative financial impact (actual money lost, lost opportunities, value of the data itself)
• Damage to UCSF’s reputation
• Potential for regulatory or legal action
• Violation of UCSF’s missions, policies, or principles
• Requirement for corrective action or repairs

Data Classification Model

Restricted Data Types

Personally Identifiable Information (PII)

• PII is protected by federal and state laws and regulations, including federal regulations administered by the U.S. Department of Homeland Security (DHS), and is defined by DHS as “any information that permits the identity of an individual to be directly or indirectly inferred, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.” PII must be protected prior to release in accordance with the Public Records Act or other disclosures required by law.
• PII includes but is not limited to the following:

2. Any of the following stand-alone elements:

• Full Social Security Number (SSN)
• Driver's license or State ID number
• Passport number
• Visa number
• Alien Registration Number
• Fingerprints or other biometric identifiers

3. Full name in combination with any of the following elements:

• Mother's maiden name
• Date of birth
• Last 4 digits of SSN
• Citizenship or immigration status
• Ethnic or religious affiliation

 Protected Health Information (PHI)

PHI is protected by the federal Health Insurance Portability and Accountability Act (HIPAA) and includes all individually identifiable health information, held or transmitted by a Covered Entity or its business associate, that relates to the health or health care of an individual, and specifically includes but is not limited to the following:

Information about an individual’s past, present, or future physical or mental health condition, or provision of and/or payment for healthcare to the individual, which includes at least one of the following identifiers:

• Names
• All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
• All elements of dates, except year, and all ages over 89 or elements indicative of such age
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate or license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) addresses
• Biometric identifiers, including finger and voice prints
• Full face photographs and any comparable images
• Any other unique, identifying number, characteristic, or code, except as permitted for re- identification in the Privacy Rule.  This includes APeX-generated identifiers such as Encounter ID and PatID.

Research Health Information

Research health information is individually identifiable health information collected outside of the covered entity setting (i.e., the researcher is acting solely as a researcher with no clinical interaction, and the data is collected outside of UCSF’s HIPAA covered entity providers).  Examples of research health information include: data obtained from subjects during interviews or surveys, and the investigators do not review or alter the subjects' health records or make treatment decisions as part of the research; data obtained from records open to the public or existing research records; and data obtained using tests that do not go into the medical record because they are part of a basic research study and the results will not be disclosed to the subject.

Payment Card Industry Data (PCI) Data

PCI Data is data subject to the Payment Card Industry Data Security Standard/s (PCI-DSS), developed by the PCI Security Standards Council and adhered to by the University, and includes but is not limited to the following:

1. Cardholder Data:
   • Primary Account Number (PAN)
   • Cardholder name
   • Service code
   • Expiration date
2. Sensitive Authentication Data:
   • Full magnetic stripe data
   • CAV2/CVC2/CVV2/CID
   • PIN/PIN Block

Confidential Security Information

Information descriptive of the specific security measures that safeguard restricted (confidential or personal) information resources represents a special class of information that should be protected from unauthorized access or disclosure. Such information – whether hardware configurations, management controls or security practices, or procedures employed – could provide a roadmap for malicious individuals to attack University applications, systems, and networks. Confidential security information includes but is not limited to the following:

• Documentation of known or potential vulnerabilities and risks
• Results of security scans and assessments
• Implementation/configuration details for security devices and tools (e.g., specific software version numbers, network diagrams, vendor definition updates, and software modules)
• Implementation/configuration details for systems that provide security services for restricted data types. Security services include services which ensure confidentiality, integrity, and availability for other systems (e.g., authentication systems, VPN’s, systems management consoles, backup systems, credential stores, data loss prevention systems, system inventories, and encryption)
• Firewall and intrusion detection system logs
• Private credentials used to authenticate users, processes, and systems
• Security incident documentation including (e.g., indicators of compromise, remediation plans, remediation efforts, data identification analysis, documentation of malicious presence in the environment, and forensic analysis)
• Permission attributes identifying the resources to which an individual has access

Licensed Intellectual Property and Product Development Information

Licensed intellectual property and product development information is third party confidential information licensed to outside industries to the extent of identifying the products or services the third party (typically pharma and biotech industries) is developing with UCSF, and the third party’s commercialization plans for those products and services. Licensed intellectual property and product development information includes but is not limited to the following:

• Medical indication for which the third party is developing the product
• Information identifying the chemical structure of a lead therapeutic candidate in development
• Financial terms of the license
• Proprietary company information relating to existing products in the industry partner’s pipeline
• Information relating to the product development timeline

Sensitive Data Types

University Intellectual Property

University intellectual property relates to creations of the mind and includes electronic data which the University may patent or gain from financially through intellectual property commercialization partnerships and commercial entities. University intellectual property includes patents, copyrights, trademarks, and trade secrets, but does not include copyrighted materials which are publicly available.

De-identified Health Information

1. Health information that does not identify an individual, and for which there is no reasonable basis to believe that the information can be used to identify an individual, is not individually identifiable health information (PHI) and is considered de-identified. The Health Insurance Portability and Accountability Act (HIPAA) allows for two methods of de-identification: Expert Determination and Safe Harbor.
2. Expert Determination requires that a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods applies those principles and methods and determines that the risk is very small that the information could be used to identify an individual who is the subject of the information. Methods and results of the analysis must be documented.
3. For Safe Harbor, all of the following 18 identifiers must be removed:
   • Names
   • All geographic subdivisions smaller than a state, except for the initial three digits of the zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
   • All elements of dates, except year, and all ages over 89 or elements indicative of such age
   • Telephone numbers
   • Fax numbers
   • Email addresses
   • Social Security numbers
   • Medical record numbers
   • Health plan beneficiary numbers
   • Account numbers
   • Certificate or license numbers
   • Vehicle identifiers and serial numbers, including license plate numbers
   • Device identifiers and serial numbers
   • Web Universal Resource Locators (URLs)
   • Internet Protocol (IP) addresses
   • Biometric identifiers, including finger and voice prints
   • Full face photographs and any comparable images
   • Any other unique, identifying number, characteristic, or code, except as permitted for re-identification in the Privacy Rule. This includes APeX-generated identifiers such as Encounter ID and PatID.
4. Options for obtaining validated de-identified data sets include: requesting de-identified data as part of the UCSF Enterprise Data Request Process; utilizing data from UCSF de-identified data applications; or requesting validation of your own de-identified data set through validation services provided by UCSF Enterprise Information and Analytics.
5. Both Safe Harbor and Expert Determination methods, even when properly applied, yield de-identified data that retains some risk of identification. Although the risk may be very small, it is not zero, and the possibility remains that de-identified data could be linked back to the identity of the patient to which it corresponds.

Employee Information

Employee information is managed by Human Resources or Academic Personnel, protected by state or federal laws and regulations, including regulations of the United States Department of Labor, and is data directly associated with an employee or applicant for employment, which must be protected prior to release in accordance with applicable policy and law. Employee information includes but is not limited to the following:

• Contents of Employment applications, other than Personally Identifiable Information (PII)
• Personnel files
• Performance evaluations
• Benefits information

Sensitive Faculty Activities

Sensitive faculty activities include information about the teaching, research, and service activities of UCSF faculty. Sensitive faculty activities include but are not limited to the following:

• Academic research or teaching activities involving use of live animal research subjects, or other controversial matters
• Academic research or teaching activities involving control of hazardous materials, or technology which presents a high risk of harm to persons or property
• Academic service activities involving affiliation with an organization which, if made known to the general public, may result in risk of bodily or other harm to the individual

Learner Information

The Family Educational Rights and Privacy Act (FERPA) protects from disclosure most records that are directly related to a learner and that are maintained by UCSF or a party acting for UCSF. Learner information includes but is not limited to the following:

• Grades, exam papers, and test scores
• Class lists
• Learner course schedules
• Evaluations and disciplinary records
• Learner financial records
• Directory information for learners who have requested that information about them not be released as public information
• Employment records of a learner, if the learner's employment is contingent upon the fact that he or she is a learner

Donor Information

Donor Information is information about financial asset donations that has a stated purpose at the bequest of the donor, and includes but is not limited to:

• Donor's full name
• Donor contact information
• Securities donated
• Real estate donations
• Planned giving arrangements
• Amount/value donated

Current Litigation/Investigation Materials

Current litigation materials are electronically stored information that pertains to a current litigation hold implemented by UCSF’s Office of General Counsel. These materials include but are not limited to:

• Word, Excel, PowerPoint, or other office application documents
• PDF documents
• E-mail
• Calendar items
• Electronic voice mail
• USB drives

Contracts

Contracts are electronic copies of agreements, to which UCSF is a party, creating obligations enforceable by law. Electronic contracts include but are not limited to the following formats:

• Word documents
• PDFs
• Scanned images

Physical Building Designs

Physical building designs are defined as detailed floor plans, architectural drawings, or other renderings that show restricted areas, animal care facilities, mechanical spaces, or other spaces in the buildings not considered accessible for public use. Physical building designs include but are not limited to the following formats:

• Office documents (Visio, Word, etc.)
• Autocad
• PDFs
• Images
• Videos

Financial Information

Financial information includes monetary facts about UCSF and/or other parties who participate in financial transactions with UCSF that are used in billing, credit assessment, loan transactions, and other similar activities, that must be protected prior to release in accordance with the California Public Records Act or other disclosures required by law. Financial Information includes but is not limited to:

• Taxpayer identification numbers
• Credit ratings
• Account numbers
• Account balances

Internal Data Types

Public Directory Information

Public directory information includes information about academic personnel, staff personnel, and learners that is designated as public information in accordance with UCOP policy, and includes but is not limited to the following:

1. Non-Personal Academic Personnel Information:
   • Name
   • Date of hire or separation
   • Current position title
   • Current rate of pay
   • Organization unit assignment including office address and telephone number
   • Full-time, part-time, or other employment status
2. Staff Personnel Records Designated as “Public Information”
   • Name
   • Date of hire
   • Current position title
   • Current salary
   • Organizational unit assignment
   • Date of separation
   • Office address and office telephone number
   • Current job description
   • Full-time or part-time, and appointment type
3. Public Student Directory Information (unless a learner notifies UCSF in writing or via electronic procedures that any or all of these may not be disclosed (FERPA block))
   • Name
   • Address (local and/or permanent)
   • E-mail address
   • Telephone numbers
   • Date and place of birth
   • Field(s) of study
   • Dates of attendance
   • Grade level
   • Enrollment status
   • Number of course units in which enrolled
   • Degrees and honors received
   • Most recent previous education institution attended
   • Photo
   • Participation in officially recognized activities, including athletics
   • For participants on intercollegiate University athletic teams: name, weight, and height