Computer Systems

Everyone at UCSF is responsible for ensuring the confidentiality, integrity, and availability of University electronic information.

The UCSF Department of Epidemiology and Biostatistics complies with federal, state, University, and campus electronic information security requirements through a combination of physical, technical, procedural, and management controls. For more information on department security efforts, see our Network Services.

On this page:

What You Must Do
Restricted and Non-Restricted Data
Rules of Conduct for Handling Personal Data
Security Incident Handling

WHAT YOU MUST DO

• Obtain and wear your UCSF ID badge while at campus locations.
• Comply with HIPAA and Electronic Security training requirements.
• Read and respond to department security awareness alerts and program initiatives, as requested.
• Know what restricted data you have and where it is stored.
• Follow network security best practices and department standards and guidelines.
• Take advantage of available centralized, secure network resources (such as the DEB network) whenever possible to store and transmit data.
• When working with third-parties, ensure that the appropriate data use and confidentiality agreements are in place.
• Grant access to and distribute sensitive data on a need-to-know basis only.
• Dispose of devices and portable media properly.
• Report security incidents immediately to Susan Butler, DEB Security Officer and the Helpdesk, or your designated Computer Support Contact.

Restricted and Non-Restricted Data

Restricted data is information that requires the highest level of security protection. In deciding how best to protect your data, a good rule of thumb is, 'If it will cause harm to the public or a University partner, or cause liability to the University financially or in reputation, use the strictest security measures possible.'

The list below has been compiled in good faith from applicable federal and state regulations and university policies to help you inventory your data. If you have any questions about the status of your data or believe there is an error in this list, please contact Susan Butler, DEB Security Officer.

TOP

• Employee Personal Information
• Restricted:
  An individual's first name (or first initial) and last name in conjunction with descriptive information such as:
  • Birth date
  • Citizenship
  • Social security number
  • Home address
  • Home telephone number
  • Drivers license or state card ID
  • Financial account numbers
  • Income tax withholding
  • Medical benefits and medical history information
  • Spouse or relative names
  • Performance evaluations and corrective actions
  • Administrative investigations for employment suitability, complaints, or suspected criminal activity
  Read and follow these rules of conduct for handling personal information.

• Not Restricted:
TOP
• Name
• Date of hire or separation
• Current rate of pay
• Position title
• Organization unit assignment
• Office address and phone number
• Current job description
• Work status (e.g., full-time)
• Prior non-university employment
• Student Information
• Restricted:
  • Admissions information including home address and phone number
  • Transcripts, test scores
  • Disciplinary records
  • Financial aid records
  • Medical records
  Read and follow these rules of conduct for handling personal information.
• Business Information
• Restricted:
• Industry contracts
TOP
• Not restricted by law, but limited by the department:
• Budget projections
• Proprietary software code
• Health Information
• Restricted:
• 18 identifiers that constitute Protected Health Information
• Limited dataset with data use agreement (allowable elements: 5-digit zip code w/o 4-digit extension; dates of birth, death, admission, discharge; all geographic subdivisions other than street address)
• Not Restricted:
• De-identified datasets (in which the 18 identifiers has been removed)
• Heath information without the 18 identifiers (e.g., vital signs alone)
• Research Health Information
• Restricted:
• Sponsor-proprietary clinical trial data and documentation
• Identifiable data collected from participants and not associated with nor derived from a healthcare event (treatment, payment, operations, medical records), not entered into the medical records, nor will the subject/patient be informed of the results.
TOP
• Not Restricted:
• De-identified datasets
• Non-identifiable health information (e.g., vital signs alone)

Rules of Conduct for Handling Personal Data

1. Comply with Business and Finance Bulletin RMP-8, Legal Requirements on Privacy of and Access to Information, regarding collection, maintenance, use, and dissemination of personal and confidential information. This bulletin serves as the basic guide in administering the California Information Practices Act.
2. Do not require individuals to disclose personal or confidential information that is not necessary and relevant to the purpose of the University.
3. Make every reasonable effort to respond quickly and courteously to requests by individuals for their personal information. Assist the individual seeking the information to adequately describe the nature of the information requested so as to facilitate its retrieval.
4. Do not disclose personal or confidential information to unauthorized persons or entities.
5. Do not seek out or use personal or confidential information relating to others for personal interest or advantage.
6. Take all necessary precautions to assure that proper safeguards are in place to protect personal or confidential information.

Security Incident Handling

What's a security incident? Any event that causes or potentially causes data to be compromised such as:

TOP

• Virus attacks
• System crashes
• Unauthorized account access
• Lost or stolen workstations, media, or mobile devices

Who Do I Contact? Report the problem to the DEB Security Officer, Susan Butler, and the Helpdesk, or your designated Computer Systems Contact. Prompt reporting is important to mitigate possible damage to or loss of restricted data and to meet requirements for timely notification of affected individuals if restricted data has been improperly disclosed.

What Information Do I Give? Please give as much detail as possible about the incident, including:

• Your name and names of others involved in the incident
• The department or research unit in which you work
• Date and time of the incident
• Nature of the problem
• Type and amount of data affected
• Steps taken so far

How Will the Incident Be Processed? IT will help you resolve technical issues and, in the case of lost or stolen devices, will contact the UCSF Police. The security officer will assist with the initial investigation, documentation, and subsequent notification to the campus information security office if restricted data is disclosed or suspected of being improperly disclosed.

TOP

The department will coordinate with the Privacy Office, Legal, Risk Management, EIS, and other involved groups to resolve incidents in which restricted data has been disclosed. The department bears responsibility for administrative costs associated with the investigation and subsequent notification to affected individuals.