Employees, students and affiliates of UC Berkeley routinely create, utilize and store data in both paper and electronic format. The campus’ Data Management, Use and Protection (DMUP) policy addresses each person’s roles and responsibilities in correctly managing, using and protecting this data. In particular, it places special emphasis and mandates special procedures for data that can be classified as restricted or essential.
Essential Data
- Description
- Essential data is defined as any data or data resource whose loss could result in failure of mission-critical business functions, loss of funds, or significant liability or legal exposure. Examples of essential data include administrative data (e.g., grant expenditure records and hiring documents) and research data (e.g., experimental results).
- Responsibilities
- The most critical requirement is to ensure that there are backup copies of all essential data, and, preferably, that these copies are stored in an off-campus location. For electronic data we highly recommend the automated UC Backup service (contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it to sign up). It is also important to formulate a disaster recovery plan in advance to determine how to most quickly resume operations in the event of a disaster.
Restricted Data
Most of the DMUP focus on data that is classified as restricted because its use and access is restricted by federal or state law or University or campus policy. Restricted data can be further subdivided by what category the data belongs to (e.g., Student vs. Financial) and also by which underlying law or policy mandates its being classified as restricted (e.g., SB1386). There are common recommendations that should be followed when utilizing all restricted data; however, there are additional requirements (specifically registration) for data that is governed by the state and federal laws SB1386, HIPAA, and FERPA.
Description
- Restricted data ranges from the obvious such as social security numbers, bank account numbers, and student transcripts, to the not so obvious such as letters of recommendation and floor plans. A good summary of restricted data by category is available here, and a more comprehensive list is available here.
SB 1386 is a California state law that mandates specific restrictions on the following: social security numbers, bank account numbers, credit and debit card numbers, driver’s license numbers, and California ID numbers.
FERPA (Family Education Rights and Privacy Act of 1974) is a Federal law that protects the privacy of student records. Examples of protected data include SID numbers, grades, and financial aid records, but do not include what would be considered “directory information” (e.g., name, address, and major). See the Campus policy on Disclosure of Information from Student Records for details.
HIPPA (Health Insurance Portability and Accountability Act) is a Federal law that regulates the protection of private health information. This primarily applicable to researches who study human subjects. See the Committee for Protection of Human Subjects for more information. - Responsibilities
- Whenever possible do not use or store restricted data. Many systems contain this information for purely historical reasons. Use secure delete methods (see here) to remove unneeded restricted data.
- Whenever possible store restricted data on centrally managed servers and avoid making copies (other than recommended backups). Especially avoid storing it on portable devices such as laptops or PDAs. If you must do so, encrypt the contents and delete it securely as soon as possible.
- Avoid transferring restricted data (especially by email). If you must transfer the data use a secure transfer method such as sFTP or encrypt the contents before sending.
- Limit access to restricted data to only those who need access to perform their assigned duties.
- Although all computer connected to the network should abide by the campus Minimum Security Standards, this is especially important for computers that are used for manipulating or storing restricted data.
- The campus currently requires that any computer that stores information covered by SB 1386, FERPA or HIPPA (see above) needs to be registered with the campus Restricted Data Management (RDM) system. In the future, systems with other types of restricted data will likely need to be registered as well. Contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it for assistance.
For a complete list of best practices for restricted data see here.
Useful Links
- Software for encrypting or securely deleting data
- Data Stewardship Council - http://dataintegration.vcbf.berkeley.edu/
- UC Backup - http://ucbackup.berkeley.edu