Data Protection Levels
Protected Level 1 Data: Confidential
Protected Level 1 information is information primarily protected by statutes, regulation, other legal obligation or mandate. Both CSU and SDSU have identified standards regarding the disclosure of this type of information to parties outside of SDSU/SDSURF and controls needed to protect the unauthorized access, modification, transmission, storage or other use. Level 1 Confidential information is intended for use by SDSU/SDSURF and access is limited to those with a “business need-to-know.”
Protected Level 1 Examples
- Passwords or credentials
- PINs (Personal Identification Numbers)
- Credit/debit/payment card numbers with any of the following:
- cardholder name
- expiration date
- card verification code
- Social Security number or Tax ID with name
- Driver’s license number, state identification card, and other forms of international identification (such as passports, visas, etc.) with name or social security number
- Name with bank account information or bank account information with password, security code or any other access code information
- Private key (digital certificate)
- Contact phone number
- Home address
- Health insurance information
- Medical records related to an individual (including disability information)
- Psychological counseling records related to an individual
- Electronic or digitized signatures
- Employee name with personally identifiable employee information
- Mother’s maiden name
- Gender
- Gender identity
- Birthplace (city, state, country)
- Birthdate
- Employee net salary
- Marital status
- Physical description/personal characteristics
- Employment history (including recruiting information)
- Biometric information
- Electronic or digitized signatures
- Parents and other family member names
- Caregiver or family member’s name for studies targeting children/youth
- Current symptoms (e.g. asthma-related symptoms)
- Current use of medication (e.g. diabetes, heart diseases, GI medications)
- Type of treatment used (e.g. used for neck/back pain)
- Ever applied for disability or worker’s compensation
- Ever had health condition (e.g. heart condition, chest pain, dizziness, tumor)
- Pregnancy
- Have physical disability
- Have psychological disorder
- Sexual Orientation
- Student name with personally identifiable educational records
- Study ID/Recruitment ID master list linked with participant’s full name
Protected Level 2 Data: Internal Use
Protected level 2 information must be guarded due to proprietary, ethical or privacy considerations. University standards will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use.
Protected Level 2 Examples
- Student name with personally identifiable educational records
- Courses taken
- Schedule
- Test scores
- Financial aid received
- Advising records
- Educational services received
- Dietary restriction
- Disciplinary actions
- Photograph
- Most recent educational agency or institution attended
- Participation in officially recognized activities and sports
- Weight and height
- Grades
- SDSU identification number
- Age
- Race & Ethnicity
- Gender
- Transcripts
- E-mail addresses
- Employee name with personally identifiable employee information
- Birth date (full: mm-dd-yyyy or mm-dd)
- Caregiver’s legal guardianship for studies targeting children/youth
- Emergency contact home address
- Emergency contact personal telephone number
- Emergency personal contact information (name, cell phone, pager)
- Marital status
- Pain severity
- Personal telephone numbers
- Personal vehicle information
- Personal email address
- Parents and other family member names
- Payment history
- Preferred language to speak
- Speak English/Spanish
- Employee evaluations
- Background investigations
- Days living with the child
- Name of the school/child care center child attended
- Number of children in the household
- Photograph (voluntary for public display)
- Legal investigations conducted by the College of Education
- Sealed bids
- Trade secrets or intellectual property such as research activities
- Location of highly sensitive or critical assets (e.g. safes, check stocks, etc.)
- Library circulation information
- Vulnerability or incident information
- Licensed software
- Attorney/client communications
- Third party proprietary information per contractual
Protected Level 3 Data: Generally Regarded as Publicly Available
Protected level 3 is information that is regarded as publicly available. This information is either explicitly defined as public information (such as state employee salary ranges), intended to be available to individuals both on-campus and off-campus (such as employee work email addresses), or not specifically classified elsewhere in the protected information classification standard. Publicly available information may still be subject to College of Education review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
Protected Level 3 Examples
- Student information designated as Educational Directory Information (excluding grades):
- Student name
- Major field of study
- Dates of attendance
- Degrees, honors and awards received
- Employee Information (including student employment)
- Employee title
- Employee name (first, middle, last; except when associated with protected information)
- Enrollment status
- Fruit and vegetable consumption (in cups)
- Department employed
- Name and Location of the usual primary health care provider
- Preferred contact method
- Work location and telephone number
- Work e-mail address
- Employee classification
- Status as student (such as TA, GA, ISA)
- Employee gross salary
- Signature (non-electronic)
- SDSU identification number