What is Restricted Data?

Please review the Berkeley Data Classification Standard for information and requirements specific to the UC Berkeley Campus.  The following UC systemwide information and terminology is undergoing review and revision.

The term "Restricted" is defined by UC systemwide policy (UC IS-2 Policy entitled Inventory, Classification, and Release of University Electronic Information) as: 

"Restricted Information describes any confidential or personal information that is protected by law or policy, and that requires the highest level of access control and security protections whether  in storage or in transit."

Restricted information includes, but is not limited to "Notice Triggering Data," "PCI Data,"  "Home and Family Data," "PII Data,"  and "Contractual Protected Data" as defined below.  

Notice Triggering Data is the UC Berkeley term used to refer to the set of data defined in the California Breach Notification Law.  A breach of this data requires us to notify all  impacted individuals.  The data set includes:

  • First name or first initial, and last name in combination with one or more of the following:
  • Social security number,
  • Or driver's license number,
  • Or California identification number,
  • Or financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account,
  • Or medical information,
  • Or health insurance information.

PCI Data is defined by the Payment Card Industry Security Council as: 

  • a Credit Card number (primary acount number or PAN) and one or more of the following:
  • Cardholder Name
  • Service Code
  • Expiration Date

Home and Family Data includes information such as any information that describes an individual's place of residence, personal phone numbers, fax numbers, email addresses, or information about an individual's family members, such as names, ages, residences.

PII Data is defined by the State of California as personally identifiable data which is broadly interpreted to mean information about an individual maintained with sufficient information to readily identify the individual. Student records with name or SID, employee records with name or employee ID, financial records with name or account number are examples of PII.

Contractually Protected Data is defined as any information identified within a formal legal agreement that obligates the Campus to keep confidential or restrict access.  Examples include: information under non-disclosure and third party proprietary or confidential information. 

Please contact ITpolicy@berkeley.edu if you have any questions about specific types of  information, whether it is "restricted" and what privacy and security protections are relevant.