University of California, Riverside


Classification of Data & Systems

First Steps for Investigators

The first step researchers should take to ensure the security of electronic research data is the appropriate classification of the data, both in terms of its sensitivity and the location of the device (e.g. laptop, server). Classification of data should be carefully documented so in the event a breach should occur, proper notification can be performed.

Classification of Data

Investigators must be primarily concerned with appropriately securing data that is protected by federal and state law as well as university policy (e.g. FERPA, etc.). Electronic data of this nature can be grouped as follows:

1. Protected Data as defined by California Law (notes on SB1386)

Protected Data, as defined by California Law, requires any state agency (including the University of California) with computerized data containing personal information, to disclose any breach of security of a system containing such data to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The Civil Code defines "personal information" to be an individual's first and last name in combination with any of the following

  • social security number AND/OR
  • driver's license number AND/OR
  • financial account or credit card number in combination with any password that would permit access to the individual's account
  • medical information (added to the definition of personal protected data in 2007)

Return to Top

2. Medical Records Data as defined by HIPAA

HIPAA, the Health Insurance Portability and Accountability Act requires particular security measures be provided to ensure the protection of health information. However, it is important to note that UC Research involving medical information does not fall under the HIPAA requirements, when acting solely in the capacity of researchers. (When a UC researcher is also a health care provider or a member of the medical center's workforce, HIPAA requirements apply.)

If a researcher conducting research pursuant to an IRB-approved protocol, wants to obtain Protected Health Information from records maintained by the Student Health Care Center (SHCC), HIPAA requires that the SHCC receive assurances from the IRB, Privacy Board, and/or researcher that either:

  1. the subject has authorized the use of Protected Health Information (PHI) for research;
  2. the IRB or Privacy Board has waived the research authorization based on specific waiver criteria; or
  3. the researcher is requesting only a limited or de-identified set of information.

Once PHI is released by the SHCC to the researcher, it is no longer protected under the Privacy Rule. However, under California law (Confidentiality of Medical Information Act,CMIA, Cal.Civil Code Sec 56 - 56.16) certain re-disclosures of medical information beyond HIPAA boundaries must be authorized.

In the event of a breech related to medical information, immediately contact C&C's Information Security Officer, Russ Harvey at For policy related questions, contact Shelley Gupta at

More information regarding HIPAA guidelines can be found at:

Return to Top

3. Research Data requiring appropriate safeguards - Student Information

Data involving student information must meet FERPA requirements. FERPA is the Family Educational Rights and Privacy Act, and governs access and disclosures for student records and student information.

Return to Top

4. Research Data Requiring Special Safe Guards by Granting Agency

Granting Agencies may require additional safe guards to ensure protection of research data. Some examples of potential additional safe guards are: (reference L.A.FANS

  • Submission of Security Plan
  • Instructions to involved staff on protection policies
  • Automatic activation of password-protection after 5 minutes
  • Encryption with password protection of all files containing data
  • NO automatic backup copying of the data

Return to Top

5. Research Data that is Sensitive to either UCR or the Principal Investigator (sensitivity refers to potential repercussions if the data is exposed, or obtained)

Data that is classified as sensitive to the University or the reputation of the Principal Investigator should have security measures in place that are appropriate to the level of sensitivity.

Return to Top

Electronic Devices Used to Store the Data

The steps required to secure electronic research data vary depending on the nature of the system in question (e.g. the steps needed to secure a USB hand-held flash drive differ from those required to secure a large server and relational database).  Thus, after appropriately classifying the research data, the researcher should identify any / all systems that will be used to house / access this data.

The plan to secure research data should thus be a function of both the sensitivity of the data, as well as the hardware used to store the data. If the research data contains sensitive data and is transportable on a laptop or flash drive, it is recommended the data at rest be encrypted. If the data is kept in a physically secure location on a expertly administered server and not transmitted over the network sensitive data may not require encryption.

Return to Top

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541