What is Sensitive Data

Sensitive Data includes, but is not limited to:

Personal Information as defined by UCLA Policy 420:
an individual's first name or first initial, and last name, in combination with any one or more of the following: (1) social security number, (2) driver's license number or California identification card number, or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Restricted Data as defined by UC BFB IS-3: Electronic Information Security:
data that is considered sensitive to some degree. It is divided into two subcategories: Personal and Limited.

Personal data refers to the combination of any information that identifies and describes an individual, including but not limited to, his or her name, social security number, protected health information (PHI), and financial account information. Access to such data is governed by state and federal laws, both in terms of protection of the data, and requirements for disclosing the data to the individual to whom it pertains. Protection for such data may also be subject to additional operating regulations in accordance with vendor or partner agreements, such as the Payment Card Industry Data Security Standards. For further discussion of what constitutes personal data see BFB RMP-8, and in the case of student records, see the UC Policies Applying to Campus Activities, Organizations and Students Sec. 130.240, "Personally Identifiable Information." For PHI, see HIPAA compliance at the University of California (http://www.universityofcalifornia.edu/hipaa/uccompliance.html).
Limited refers to
- Electronic information whose unauthorized access, modification or loss could seriously or adversely affect the University (e.g., cause financial loss or loss of confidence or public standing in the community), adversely affect a partner (e.g., a business or agency working with the University), or adversely affect the public. Examples of such data may include selected research data where the corresponding research is incomplete, or responses to a Request for Proposal before a decision has been reached.
- Electronic information that the Electronic Information Resource Proprietor chooses to protect from general access or modification, although such access is not prohibited by law or University policy. An example might include data containing budget projections for a campus department.

More information regarding protection of personal information can be found on icompass's website.