Skip to Main Content
Information Resources & Communications

Ten Best Practices to Protect Restricted Data

  1. Systems should not include restricted information unless absolutely necessary. Restricted information is defined in IS-3 Electronic Information Security. Examples of restricted data elements include Social Security numbers, ethnicity, date of birth, and financial information such as credit card number or bank account number.
  2. Avoid storing restricted data on portable devices. If restricted data must be transferred onto portable devices, implement measures to safeguard the confidentiality or integrity of the data in the event of theft or loss of the portable device.
  3. Provide staff access to restricted data only as needed to perform assigned duties.
  4. Maintain appropriate physical security for computing devices with restricted data. Take special care with a laptop that includes restricted data; in the event of theft, not only will the laptop be lost, but also restricted data will be compromised.
  5. Delete personal information when there is no longer a business need for its retention on computing systems.
  6. Remove all information from your old computer when you replace it. Be aware that many types of erased data can be recovered from your computer, unless you take explicit measures to effectively remove it.
  7. Avoid using restricted data elements as the "key" to a database.
  8. Avoid using actual data when testing an application; rather, "mask" the restricted data, such as Social Security number, with dummy information. If this is not possible, ensure implementation of security measures appropriate to the standard working environment.
  9. When personally identifying information is distributed to users, include notification that the data is restricted and requires security protection. Include reference to applicable policies and regulations. Delete personal information not critical to the task when distributing full data sets.
  10. When passing restricted data to a third party agent of the University, ensure there is a written contractual agreement (including terms and conditions) that provides, at a minimum, for (a) disallowance of disclosure by the agent or affiliate to other third parties including subcontractors, (b) the requirement that all agents and affiliates must observe the laws and policies required of the University of California for privacy and security, including federal and state law, (c) a specific plan by the agent or affiliate for the implementation of logical, physical, and managerial security strategies, and (d) a specific plan for the destruction of restricted data upon completion of the agent's or affiliate's work for UCOP. For sample agreements, see IT Security at the University of California under Terms of Agreements.

Please submit your questions, comments, and suggestions at feedback.html