What information needs to be protected?

LBL has two categories of information which require additional protection:

1.PII
2.Prudent to Protect Information

In addition, some kinds of information are never permitted at LBL.

PII Defined

The LBL definition of PII comes from California Law. Anything which meets this definition requires full protection and any known or suspected breach of this information must be immediately reported to the Computer Protection Program (CPP).

PII includes one or more of the following:

Social Security Number or
Personal Financial Account Number (e.g. credit card and direct deposit information) or
Driver’s License or State Identification Card Number or
Personal Health Information including insurance numbers, and most kinds of treatment and diagnosis information including non-anonymized research data*

* The summary above should be sufficient for most LBL community members; however, if you’d like to know more about the specifics of these definitions, there will be a link at the end of this training.

Additional Information:

Throughout this training, additional important information will be provided on panels like the ones below. Be sure to read the subject, and if it applies to you, click on the panel to open it.

Click here for information for those who work with student information.

If you process campus information, you should be aware of additional regulations which cover student information in the context of the educational setting. In particular, Family Educational Rights and Privacy Act (FERPA) places serious restrictions on the release of student information including identifiers and grades. FERPA doesn't apply to LBL directly, but it does apply to information you may work with or encounter if you are working with campus. For more information about FERPA, consult UC Berkeley policies, or those of your home institution. There is more information after this training on when FERPA applies.

Click here for information for researchers and others who utilize personally identifiable medical information including insurance information.

Prior to 2008, personally identifiable medical information was only protected at this level if it was utilized or acquired in the context of treatment and thus covered by HIPAA. However, changes to California State Law mean that all personally identifiable medical information is now covered by California disclosure law.

In addition, information covered by HIPAA, which includes certain categories of health information acquired in a treatment setting or in the context of an insurance relationship, is also protected – though it would normally be a subset of “medical information.”

If you conduct medical research in collaboration with another University, note that you are covered by the rules of the institution which approved the research. However, no matter what protections are associated with the information, Personally Identifiable Medical Information, even that associated with research, must never be stored on LBL systems without approval from *both* the LBNL Human Subjects Committee and the Computer Protection Program.

Next>>>

PII & Information Security Training 2008-2009

PII Outline

What information needs to be protected?