Information Security and Confidentiality


The purpose of this policy is to provide for compliance with federal and state law and regulations and university policy governing the security and confidentiality of Institutional Information.

Access Control

The policies and procedures that regulate Authorized Users’ ability or means necessary to read, write, modify, or communicate data or information or otherwise use any Institutional Information.

Authorized User

Any UCSF faculty, staff, student, or other individual affiliated with UCSF who has been granted authorization to access or invoke Institutional Information for the purpose of performing their job duties or other functions directly related to their affiliation with UCSF. The authorization granted is for a specific level of access to the Institutional Information in accordance with University policy. An example of an Authorized User is someone who handles business transactions and performs data entry into a business application or someone who gathers information from an application or data source for the purposes of analysis and management reporting.


The degree to which data or information is not available or disclosed to unauthorized persons or processes. The degree of confidentiality afforded to different types of information will vary in accordance with the requirements of federal and state laws, University policy, contract, or community practice.


Unauthorized (actual or suspected) access, use, disclosure, modification, or destruction of Institutional Information in violation of University policy.

Covered Entity (CE)

An entity that must comply with HIPAA. The term Covered Entity refers to health care providers, health plans, and health care clearing houses that perform a covered service and transmit data electronically.

Institutional Information

A term that broadly describes all data and information created, received and/or collected by UC. The UCSF Data Classification Standard (Addendum F) defines categories according to their unique protective requirements and provides guidance for identifying appropriate users or recipients. UCSF departments and units should determine in advance the extent to which information should be disclosed to specific users. Determinations should be made based on the nature of the content and the duties of department employees.

Minimum Security Standards for Electronic Information Resources

The UCSF Minimum Security Standards for Electronic Information Resources are required to protect all UCSF Institutional Information and IT Resources. Development and maintenance of these standards is the responsibility of the Committee on IT Security (CITS). Roles as described in Addendum A, UCSF Roles and Responsibilities for Securing Electronic Information Resources are responsible for assuring that the standards are implemented within their sphere of influence. The standards shall be reviewed and updated by CITS as needed to respond to emerging technologies, threats, and organization changes.

Security Incident

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of Institutional Information in violation of University policies.

Security Threat

Any action by an individual or application that may result in a security incident and compromise the confidentiality, integrity, or availability of data. Threats that could breach confidentially include, but are not limited to, unauthorized intrusions, malicious misuse, inadvertent compromise, malware, the loss or theft of a computing device that contains Institutional Information, or any incident in which a user either directly or through technology performs functions for which they are not authorized.

UCSF Users/Workforce Members

UCSF students, faculty, staff, and others affiliated with the University (including those in program, contract, or license relationships with the University) who need to access and are authorized to use Institutional Information and IT Resources for purposes in accordance with the Electronic Communications Policy, Section III.D, Allowable Uses.

UCSF will protect the confidentiality, integrity, and availability of Institutional Information when such information is created, received, transmitted, and/or stored in any medium, including electronic or paper format, and will ensure that the handling of such information is consistent with federal and state laws and regulations and University policies.

All Workforce Members are responsible for the security and protection of Institutional Information over which they have control. The IT Governance Steering Committee and Committee on IT Security Technical Workgroup have identified specific roles and responsibilities for securing Institutional Information and IT Resources within UCSF Roles and Responsibilities for Securing Electronic Information Resources (Addendum A). UCSF Minimum Security Standards for Electronic Information Resources (Addendum B) is published to help units and Workforce Members protect their computing devices. UCSF data that is lost, stolen, compromised, or suspected of being compromised must be reported and investigated according to UCSF Incident Investigation (Addendum C). UCSF Wireless Networks (Addendum D) is published to assist in providing comprehensive protection of the wireless extension of UCSF networks. Workforce Members who handle or process credit card information must adhere to the PCI Standard (Addendum E). UCSF shall utilize the UCSF Data Classification Standard (Addendum F) to determine the assigned classification of information by data type, protection level, legal requirements, access requirements, and encryption requirements. Any third party that remotely accesses the UCSF network or any Institutional Information or IT Resources, as well as UCSF units that sponsor or manage such third parties, shall adhere to the Third Party Remote Access Standard (Addendum G).

Contact Responsible Office (above) with any questions.