Protecting Personal Information @ UCR
Protecting Your Information
California law (commonly referred to as SB1386) requires UCR to disclose any security breach of a system containing protected personal information to any California resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The law defines "personal information" to be an individual's first and last name in combination with any of the following:
- social security number AND/OR
- driver's license number AND/OR
- financial account or credit card number in combination with any password that would permit access to the individual's account.
Detailed information, including UC and UCR policies, as well as procedures and guidelines for incident handling can be found at SB1386 Security Breaches Involving Personal Information. Campus departments and units are urged to establish procedures and practices to reduce the collection, distribution, and retention of protected personal information. For additional information about SB1386, protected personal information, or campus guidelines and policy, please emailĀ ITpolicy@ucr.edu.
Best Practices Relating to Protected, Personal Information:
- Collect and retain only that data which is essential to the performance of assigned tasks.
- Delete personal information when there is no longer a business need for its retention on computing systems.
- Provide staff access to sensitive data only as needed to perform assigned duties.
- Design database systems so that personal information can be identified.
- When personally identifying information is included in the distribution of data to any downstream users, include notification of that fact, including reference to these guidelines.
- Remove personal information not critical to the task when distributing full data sets to downstream users.
- Whenever possible, configure electronic applications that check authorizing or authenticating databases to return confirming responses rather than personal information.
- Review and update agreements with external service providers to ensure vendor compliance with these requirements.
- Be prepared in advance in the event of the need for any immediate notification to individuals whose personal data is retained on computing systems.
- Never leave sensitive data exposed on computer screens when not in use or leave computer screens unattended without appropriate screen access controls.
