Securing Your Data

Overview:

Data is one of UC Berkeley’s most critical assets. The complexity and volume of the data we are taking in is growing while at the same time regulatory requirements are becoming more stringent. These factors make correctly managing data vital for ensuring its  confidentiality, integrity, and availability remain intact.

The data management lifecycle: 

Proper handling of data throughout its lifecycle is critical to optimizing its utility, minimize the potential for errors, and protect it from breaches. No matter who has access to the data or where it resides, protecting university institutional information is required.

Below are questions that should be asked within each of the four phases pictured above.

Planning and Creation:

  1. Has the data been properly classified per Berkeley’s Data Classification Standard?
  2. Check out our helpful Data Classification Guideline.
  3. Based on the data classification, are plans in place to meet the Minimum Security Standards for Electronic Information
  4. In addition to the above, are there any legal, statutory, and access requirements that could apply to the data? Examples of Regulations that apply include (but are not limited to):
    1. Health Insurance Portability and Accountability Act (HIPAA)
    2. Family Educational Rights and Privacy Act (FERPA)
    3. Payment Card Industry Data Security Standard (PCI DSS)
    4. General Data Protection Regulation (GDPR)
    5. California Security Breach Information Act (SB-1386)
    6. Gramm-Leach-Bliley Act (GLB Act)
    7. California Public Records Act Code 6250-6270 (CPRA)

Using and Sharing (including transmitting electronically):

  1. How will the data be used and shared?

  2. Have you read Berkeley’s requirements for sharing data?

    1. https://security.berkeley.edu/uc-berkeley-box-and-google-data-use-agreement

  3. Will data be emailed or transferred in a manner that meets UC Berkeley’s security requirements?

  4. Are there appropriate data use agreements in place per UC Berkeley’s requirements?

  5. Are there appropriate data access agreements in place per UC Berkeley’s requirements?

  6. If required, is your data de-identified per UC Berkeley requirements?

  7. If you are publishing or copyrighting your research does it meet UC Berkeley requirements?

Storing:

  1. Will the data be stored via a UC Berkeley-vetted contracted service or tool?

    1. Researchers https://researchdata.berkeley.edu/active-research-data-storage-guidance-grid

    2. General https://bconnected.berkeley.edu/collaboration-services

  2. How will the availability of the platform be maintained?

  3. Will the data and system adhere to the UC Continuity Planning and Disaster Recovery Policy?

  4. Will the data be backed-up

Destroying:

  1. Are you following the UC Berkeley Records Retention Schedule?

  2. Is your paper media destroyed per UC Berkeley requirements?

  3. Is your electronic media destroyed per UC Berkeley requirements?

  4. Did you perform adequate data off-boarding procedures at the end of your project?

 

Additional Resources:

Research Data Portal