University of California, Riverside

Security Breaches



Protected Personal Data (PPI)

The data comprising personal information governed by these guidelines is defined as protected data. This protected data includes an individual's first and last name in combination with any of the following:

  • social security number AND/OR
  • driver's license number AND/OR
  • financial account or credit card number in combination with any password that would permit access to the individual's financial account


Computing System

A computing system is any server, desktop, laptop computer, or PDA (Personal Data Assistant) that contains or provides network access to protected data.


Lead Campus Authority

The Lead Campus Authority for UCR is the Associate Vice Chancellor for Computing and Communications (C&C). The Lead Campus Authority is responsible for ensuring that the campus incident response process and UCOP (and campus) notification procedures are followed. The Lead Campus Authority will coordinate campus procedures with various campus constituencies (VCA, Audit and Advisory Services, UCR's Locally Designated Official (LDO), UCR's Director of Financial Controls and Accountability, campus counsel, etc.) as appropriate and will maintain as robust a database as possible of campus systems containing protected data.


Responsible Administrative Official (e.g. Dean, Associate Dean, Vice Chancellor, Assistant Vice Chancellor, CFAO, etc.)

The UCR individual who is ultimately responsible for oversight of data or computing systems within a given functional area.


Data Proprietor (e.g. MSO, CFAO, Associate Dean, Assistant Vice Chancellor etc.)

Data Proprietors are responsible for identifying which computing systems contain protected data or have access to protected data (please see the note below relating to Control Records). They will ensure that appropriate procedures are deployed governing access to protected data and adequate security plans, consistent with Business and Finance Bulletin IS-3, are in place for computing systems within their jurisdiction. Data Proprietors will work with C&C to maintain an inventory of systems containing protected data. An up-to-date systems inventory will usually include the system's location and use, its custodian, and type of security protection. Data Proprietors will inform their Data Custodians, affected staff within their jurisdiction, and third-party users, of University policy and their responsibilities regarding any use they may make of protected data.

Data Custodian (e.g. Systems Administrator, Database Administrator, etc)

Data Custodians are responsible for protecting the resources under their control, such as access passwords, computers, and downloaded data. Contractual arrangements with outside affiliates must include the third-party user's obligations regarding protected data. Data Custodians will ensure implementation of adequate security measures for computing systems containing protected data (e.g. monitoring access logs for computing systems housing protected data can disclose unauthorized access or anomalous activity) as well as appropriate encryption strategies for both the transmission and storage of protected data. Departments may wish to consult with C&C for assistance in determining strategies appropriate to their particular technological environment.


Control Records

A Control Record is a database, spreadsheet, or any other electronic file containing a list of computing systems that contain protected data. Control records must contain the following:

  • name of computing system data custodian
  • physical location of computing system
  • description of logical access and security controls
  • description of protected data stored on the system

Control Records must be updated and supplied to the Lead Campus Authority at least once per year or at any time a system containing protected data is deployed or significantly modified.


Third-Party User

A Third Party User is an authorized external contractor or affiliate who uses UCR data containing protected information.


Health/Medical Information

Such information as medical data (medical history, mental or physical condition, medical treatment or diagnosis) and/or health insurance information (policy number, subscriber information number, individual's application and claims history including appeal records).


More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-3555
Fax: (951) 827-4541