UC San Diego SearchMenu

Guidelines for Handling Sensitive Data

If you handle sensitive data, you should read this page and familiarize yourself with UC and campus policies, procedures and guidelines.

Sensitive data is defined as information that is protected against unwarranted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.

If you have any questions or aren't sure whether or not this applies to you please contact your local IT support staff or UCSD's central IT Security department at security@ucsd.edu / (858) 246-4357.

Note: The term "sensitive" is descriptive only; it is not an official classification under university policy. Sensitive data may fit into various classifications based on the legal requirements and use.

Expand all

Transferring Sensitive Data

  • Never store or transfer sensitive data in an un-encrypted format.
  • Sensitive data should only be transferred using approved UCSD devices that meet or exceed UCSD’s minimum security standards. Do not use personal devices for handling sensitive data.
  • Devices used to transfer sensitive data should be encrypted using Sophos SafeGuard or equivalent.
  • Avoid using insecure or open network protocols to transfer data such as HTTP of FTP. Use SFTP or SSL instead (see PPM 135-3)
  • When transmitting sensitive data to an authorized 3rd party, consider using a tool like 7-Zip with a minimum setting of AES-256 to encrypt the data file.
  • The password for encrypting/decrypting the sensitive data file should never be stored in clear text. Instead, use a secure password manager such as KeePass or equivalent.
  • Always use strong passwords for encrypting sensitive data.
  • Send the password for decrypting the data file separately from the encrypted data file.

Working with Sensitive Data

  • Only work with sensitive data using approved UCSD owned devices that meet or exceed UCSD’s minimum security standards. Do not use personal devices for handling sensitive data.
  • Devices used to create, read, update or delete sensitive data should be encrypted using Sophos SafeGuard or equivalent.
  • Keep sensitive data in a single folder and securely delete the data from your device when you are done with it using Spirion "Shred" or equivalent.

Storing Sensitive Data

  • Only store sensitive data using approved UCSD owned devices that meet or exceed UCSD’s minimum security standards. Do not use personal devices for storing sensitive data.
  • Avoid storing sensitive data on local devices whenever possible. Instead, use a file server that meets or exceeds UCSD’s minimum security standards.
  • If you must store sensitive data on a UCSD owned device you should first obtain permission by contacting UCSD's Information Security Team (security@ucsd.edu).
  • After you have obtained approval to store sensitive data, keep the data in a single folder and securely delete the data from the device when you are done working with it.

Backing Up Sensitive Data

  • Backups of sensitive data should be done by central IT using encryption and stored/maintained in a secure manner.
  • If you need to make backup copies of sensitive data files, make sure to secure them using a tool like 7-Zip with a minimum setting of AES-256 to encrypt the files.

Policy References

Expand all