SDSURF › Home (Human Resources) › Annual Policy Notification ›  Data Classification and Handling Policies

Data Classification and Handling Policies

Information Classification Standard

SDSU Research Foundation has adopted the CSU Information Security Data Classification Levels. The standard outlines three levels of classification (Protected Level 1, 2 and 3) based on risk and informs the level of security controls that should be applied to protect data (electronic, physical, etc.) from unauthorized use, access, disclosure, acquisition, modification, loss or damage as it is acquired, processed, transmitted and/or stored.


All SDSU Research Foundation staff, PIs, project directors and entities working on behalf of SDSURF are subject to these guidelines and policies.


Protected Level 1 (PL1) / Confidential Data

Protected Level 1 information is information primarily protected by statutes, regulation, other legal obligation or mandate. This classification is applied to information whose unauthorized use, access, disclosure, acquisition, modification, loss, or damage to the CSU/SDSU/SDSURF, its students, employees or customers. Financial loss, damage to the CSU/SDSU/SDSURF’s reputation, and legal action could occur.


Information may be classified as confidential based on criteria including but not limited to:


  • Disclosure exemptions – Information maintained by the SDSURF or the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.
  • Severe risk – Information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees, or customers. Financial loss, damage to the CSU’s reputation, and legal action could occur.
  • Limited uses – Information intended solely for use within the CSU and limited to those with a business “need-to-know.”
  • Legal Obligations – Information for which disclosure to persons outside of SDSURF/SDSU is governed by specific standards and controls designed to protect the information.

Examples of Level 1 – Confidential information include but are not limited to:


  • Passwords or credentials that grant access to level 1 and level 2 data
  • PINs (Personal Identification Numbers)
  • Birthdate with name and last four digits of social security number
  • Credit card numbers with cardholder name
  • Social Security number (SSN) or Tax ID with name
  • Driver’s license number, state identification card, and other forms of international identification (such as passports, visas, etc.) with name.
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Private key (digital certificate)
  • Health insurance information
  • Medical records related to an individual (including disability information)
  • Psychological counseling records related to an individual
  • Criminal background check results
  • Law enforcement personnel records
  • Biometric information
  • Electronic or digitized signatures
  • Parents and other family member names

Protected Level 2 (PL2) / Internal Use

Protected level 2 information must be guarded due to proprietary, ethical or privacy considerations. This classification is applied to information which may not be specifically protected by statute, regulations or other legal obligations or mandates but for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of could cause financial loss, damage to CSU/SDSU/SDSURF’s reputation, violate an individual’s privacy rights, or make legal action necessary.


Data owners are responsible for identifying controls and procedures to protect the unauthorized access, modification, transmission, storage or other use of information, subject to review by the SDSU Information Security Office.


  • Identity Validation Keys (name with)
    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Photo (taken for identification purposes)
  • Student Information-Educational Records not defined as “directory” information, typically:
    • Grades
    • Courses taken
    • Schedule
    • Test scores
    • Advising records
    • Educational services received
    • Disciplinary actions
    • Student photo
  • Library circulation information
  • Trade secrets or intellectual property such as research activities
  • Location of critical assets
  • Location of Level 1 or Level 2 Data
  • Licensed software
  • Vulnerability/security information related to a campus or system
  • Campus attorney-client communications
  • Employee information
    • Employee net salary
    • Home address
    • Personal telephone numbers
    • Personal email address
    • Payment history
    • Employee evaluations
    • Pre-employment background investigations
    • Mother’s maiden name
    • Race and ethnicity
    • Parents’ and other family members’ names
    • Birthplace (City, State, Country)
    • Gender
    • Marital Status
    • Physical description
    • Emergency contact information (address, phone, names, etc.)
    • Personal vehicle information
  • Other
    • Legal investigations conducted by the Research Foundation
    • Sealed bids
    • Trade secrets or intellectual property such as research activities
    • Location of highly sensitive or critical assets (e.g. safes, check stocks, etc.)
    • Library circulation information
    • Vulnerability or incident information
    • Licensed software
    • Attorney/client communications
    • Third party proprietary information per contractual

When PL2 data is transmitted electronically, it must be protected using approved campus processes.


Protected Level 3 (PL3) / Generally Regarded as Publicly Available

Protected level 3 is information that is regarded as publicly available. Disclosure of this information does not expose the CSU/SDSU/SDSURF to financial loss or jeopardize the security of the CSU’s information assets.


This information is either explicitly defined as public information (such as state employee salary ranges), intended to be available to individuals both on-campus and off-campus (such as employee work email addresses). Publicly available information may still be subject to Research Foundation review or disclosure procedures to mitigate potential risks of inappropriate disclosure.


  • Student information designated as Educational Directory Information (excluding grades):
    • Student name
    • Major field of study
    • Dates of attendance
    • Degrees, honors and awards received
  • Employee Information (including student employment)
    • Employee title
    • Employee name (first, middle, last; except when associated with protected information)
    • Enrollment status
    • Department employed
    • Work location and telephone number
    • Work e-mail address
    • Employee classification
    • Status as student (such as TA, GA, ISA)
    • Employee gross salary
    • SDSU identification number (RedID)

Where several categories apply, use the highest level of security, that is, use Level 1 versus Level 2 and so on. Questions about the proper classification of a specific piece of information should be addressed to your manager.


Non-Foundation (personal) information (both electronic and non-electronic), such as personal credit reports, personal bank statements, or even contact information from a synchronized cell phone or PDA should not be stored on SDSURF systems as SDSURF does not assume responsibility for securing this information and many systems may not be secured for this information by default. Personal information does not just pertain to first party personal information (yours), but also to any third party personal information (someone else’s).


Information Labeling Guidelines

The designated owner of an information asset (e.g. department manager, PI, Fund Manager, etc.) is responsible for making the determination as to how an asset must be classified (e.g. Level 1, Level 2 or Level 3). Aggregates of data must be classified based on the most secure classification level.


If no marking is present, SDSURF information is presumed to be "SDSURF Confidential" unless expressly determined to be SDSURF Public information by a SDSURF employee with authority to do so.


Information Handling Guidelines

  • When PL1 data is transmitted electronically, it must be sent via a method that uses strong encryption. (E.g. Secure File Send, Globus, other campus approved tools)
  • Where the combination of assessed risk, technical feasibility and operational practicality allow, protected level 1 data stored electronically must be encrypted using strong encryption methods. Work with your IT Manager for solutions that work best for your situation.
  • Hardcopy materials, physical media with protected data must be stored in locked enclosures. Protected information should not be left unattended in unsecure areas.
  • Transportation of physical media containing protected data (e.g transfer of backup media, thumb drives to and/from remote locations, etc.) must be documented and reviewed annually. PL1 data must be encrypted, PL2 data should be encrypted.
  • Third party agreements for cloud services must be reviewed by your IT Manager and approved by the IT Security Office through the Technology Acquisition Review Process (TARP).
  • SDSU G-Suite and Office 365 cloud services are approved for PL2 and PL3 data. If you have a need to store PL1, please coordinate with your supervisor and IT Manager.
  • SDSU AdobeSign is approved for PL2 and PL3 data. SDSU IT Division can create special accounts that can support PL1 data upon request.
  • SDSU Google mail is NOT approved for PL1 data. You must use an alternative method (e.g. Secure File Send) to send and/or receive PL1 data. Work with your supervisor and/or IT Manager to identify approved options.
  • Do not transmit protected information in voice mail messages. Leave name and call back number only.
  • Fax PL1 only when recipient is at other end of line to immediately pick up the transmission. Information should be sent only to fax machines at known locations where the physical security of the receiving machine can be assured. Fax machines receiving sensitive information must be in secure location and inbound documents processed immediately.
  • Information should be managed in accordance with Record Retention and Disposition policies. Paper documents with protected information should be shredded and electronic media should be securely sanitized before destruction or recycling. Coordinate with fixed asset coordinator for current campus procedures.
  • Hardware on which protected data is stored, distributed or accessed must be located in a secured location that is protected by appropriate physical and environmental controls. (E.g. campus data center)

Adopted November 2009:

Revised: January 2023



*Note: Documents in Portable Document format (PDF) require Adobe Acrobat Reader 9.0 or higher to view. Download Adobe Acrobat Reader