Skip to Content

Sacramento State Data Classification

California State University, Sacramento has identified three classification levels that are referred to as level 1, level 2, and level 3 data. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive and correspondingly tighter controls are required for these values. The most critical level of sensitivity begins with Level 1. Levels 1 and level 2 are considered protected levels. Read more

Classification Description Examples

Level 1
Confidential

This information can cause the most serious harm to individuals and to the campus as a result of unauthorized access. Much of this information is protected by statutes, regulation, other legal obligation or mandate. The CSU has identified specific guidelines regarding the disclosure of much of this information to parties outside of the university and controls are needed to protect the unauthorized access, modification, transmission, storage, or other use.

  • Passwords or credentials
  • PINs (Personal Identification Numbers)
  • Birth date combined with last four of SSN and name
  • Credit card numbers with cardholder name
  • Tax ID with name
  • Driver’s license number, state identification card, and other forms of national or international identification1 in combination with name
  • Social Security number and name
  • Medical records related to an individual
  • Psychological Counseling records related to an individual
  • Bank account or debt card information
  • Vulnerability/security information related to the campus or a system

Level 2
Business Use

This information must be guarded due to proprietary, ethical or privacy considerations. Campus guidelines will indicate the controls needed to protect the unauthorized access, modification, transmission, storage or other use.

  • Birth date
  • Educational records (Excludes directory information)
  • Grades
  • Courses taken
  • Schedule
  • Etc.
  • Employee information
  • Employee net salary
  • Employee history
  • Home address

Level 3
Public

This information is regarded as publicly available. These data values are either explicitly defined as public information (e.g., state employee salary ranges), intended to be readily available to individuals both on- and off- campus (e.g., an employee’s work e-mail addresses), or not specifically classified elsewhere in the protected data classification standard. Publicly available data may still subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.
  • Campus identification number
  • Employee ID
  • Educational directory information (FERPA)
  • Employee Information
  • Employee Title
  • Employee public email address
  • Name (first, middle, last)


Security Measures

Appropriate technical and organizational measures must be put in place to prevent the unauthorized or unlawful processing or disclosure of data. Departments must ensure that the security measures in terms of physical security (e.g. control access to buildings or rooms, correctly handle and dispose of printed material containing personal data), administrative controls (e.g. restrict password, restrict access on the basis of role or authority), and technical controls (e.g. store personal data on a secure server, make use of privacy enhancing technologies) are appropriate for the data being processed and maintained.

• Data security measures must be implemented commensurate with data value, sensitivity, and risk. Data in each classification will require varying security measures appropriate to the degree in which the loss or corruption of the data would be harmful to individuals, impair the business or academic functions of the University, result in financial loss, or violate law, policy or CSU contracts.

• Security measures implemented for data will be dictated by the data classification level. Measures will include, but not be limited to, an appropriate combination of the following:

Physical Access Control
Administrative Access Control
Technical Access Control

Handling Guidelines

• Protected Level 1 information should not be stored within shadow systems (e.g. files, home-grown databases, spreadsheets, documents, and tables)
o If there is a compelling reason to store this information within a shadow system, the system needs to be identified and appropriate controls need to be in place commensurate with the primary source of the confidential information.
• Protected Level 1 information should not be sent, transmitted, or disseminated in an unsecured manner. The medium used to send, transmit, or disseminate protected level 1 information should be appropriately protected from modification or disclosure.
• Procedures regarding the archival and destruction of, at a minimum, Level 1 data should be implemented.

Data Retention

With the passage of time, data stored on campus hardware or media (electronic or paper) may no longer be required for organizational purposes. As appropriate, the storage of data must be kept to the minimum necessary.

Data Disposal

Electronic and non-electronic media and hardware which contains protected data no longer required for legitimate organizational purposes, must be disposed of. The following disposal methods must be used:

  • Non-electronic media must be cross-cut shredded, incinerated, or pulped.
  • Electronic media must be purged, degaussed, shredded, or otherwise physically destroyed so that the protected data cannot be reconstructed. If a data deletion program is used, it must write random data for at least one complete pass across the entire media.
  • Campus back-up (i.e., tape, optical) media must be physically destroyed or degaussed.

Disposing confidential data should have a disposal log. At a minimum, such tracking identify:

  • Date and time of disposal
  • Brief description of items being disposed of
  • Name and title of person(s) performing the disposal

Download the full data classification guide here