Under the California Personal Information Security and Confidentiality of Medical Information Acts (commonly known as Senate Bill (SB) 1386 and Assembly Bill (AB) 1298, respectively), personal information is defined as:
An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number
- Driver’s license or California Identification Card number
- Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
- Medical information
- Health insurance information
An individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records
Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
In addition to the personal information listed above, examples of confidential information include the following: financial records, student educational records, physical description, home address, home phone number, grades, ethnicity, gender, employment history, performance evaluations, disciplinary action plans, or NCAA standings. Confidential information must be interpreted in combination with all information contained on the computer to determine whether a violation has occurred.
Information that an individual or entity possesses, owns, or holds exclusive rights to. Examples include: faculty research, copyrighted materials, white papers, research papers, business continuity and other business operating plans, e-mail messages, vitae, letters, confidential business documents, organization charts or rosters, detailed building drawings, and network architecture diagrams. Proprietary information, if lost or stolen, could compromise, disclose, or interrupt operations or embarrass the individual or the University.
In July 2005, California SB 25 limits the CSU’s use of Social Security numbers (SSNs) for identification of students and employees. While some departments will still need to use SSNs to conduct business (e.g., Payroll, Human Resources Management), the campus is prohibited from:
- Publicly posting or displaying an individual’s SSN.
- Printing an individual’s SSN on any card required for access to products or services.
- Requiring an individual to transmit his/her SSN over the Internet, unless the connection is secure or the SSN is encrypted.
- Requiring an individual to use an SSN to access an Internet Web site, unless a password, unique personal identification number, or other authentication device is required also.
To meet this requirement, Cal State L.A. has converted all students’ and employees’ identification numbers to Campus Identification Numbers (CINs) or Employee IDs. Departments should not use a SSN in forms or data files unless it is absolutely necessary for a business process and a CIN cannot replace it.
When working with confidential information, remember to do the following:
- Encrypt all electronic confidential information.
- Ensure that only authorized individuals are able to to view or handle confidential information.
- Do not fax confidential information to others unless you are sure the recipient is waiting at their fax machine to remove the copy.
- Do not e-mail un-encrypted confidential information to other organizations or departments.
- Do not e-mail decryption passwords. Telephone the recipient with the password.
- Never visibly post grades, student information, SSNs, or other confidential information.