Data Confidentiality Regulations
Definitions of Selected Types of Restricted Data
Personal Identity Information (PII)
Personal identity information (PII) is the electronic record of an individual first name or first initial, and last name, in combination with one or more of the following:
- Social Security Number (SSN)
- Driver's license number, or State-Issued ID card #
- Account number, credit or debit card number
- Medical information
- Health insurance information
Personal Identity Information (PII) is Protected by State Law
For more information from Oregon State Law regarding PII: Oregon State Privacy Laws and Practices (PDF)
Credit Card Data/PCI
Credit card information is regulated by the Payment Card Industry (PCI) Data Security Standard (DSS).
Description of the PCI Standard
The PCI DSS is a set of security requirements developed by credit card companies to
ensure consistent data security measures for sensitive credit cardholder data.
These requirements apply to anyone who stores, processes, transmits or otherwise has access to credit cardholder data. It also applies to all system components included in or connected to or the cardholder data environment.
System components include network components, servers or applications.
Payment Card Industry (PCI) Data Security Standard References
Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/security_standards/index.php
Payment Card Industry Self-Assessment Questionnaire: Questionnaire designed to determine compliance with the Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php
FERPA: The Federal Family Educational Rights and Privacy Act of 1974
Most student records are not considered restricted data; they are considered confidential data. The disclosure of information from student records is governed by FERPA.
At COCC, the Registrar is the authoritative office for FERPA. Refer to the Registrar's website for information about privacy requirements for student records, as well as related resources: www.cocc.edu/instruction/faculty-resources/ferpa-for-faculty/
Student records protected by FERPA are actually protected by both Federal and State laws
Federal & State Laws: The disclosure of information from student records is governed
by FERPA and, in part, by the Oregon Department of Education
Potential consequences include legal or civil action and withdrawal of funds under any program administered by the Secretary of Education.
Examples of Other Types of Non-Restricted, Confidential Information
Home address or home telephone number
Personal information protected by anti-discrimination and information privacy laws such as:
- Ethnicity or Gender
- Date of birth
- Marital Status
- Religion or Sexual orientation
- Certain types of student records
- Exams, answer keys, and grade books
- Applicant information in a pending recruitment
- Information subject to a non-disclosure agreement, including research data, intellectual property (IP), patent information and other proprietary data
- Academic evaluations and letters of recommendation
- Responses to a Request for Proposal (RFP) before a decision has been reached
- Some kinds of personnel actions
- "Pre-decisional" budget projections for a campus department (can also be marked "Draft" or "Not for Distribution")
Electronic Protected Health Information (ePHI/HIPAA Data)
Patient health information which is computer based, e.g., created, received, stored or maintained, processed and/or transmitted in electronic media. Examples include:
- Medical record number, account number or SSN
- Patient demographic data, e.g., address, date of birth, date of death, sex, email / web address
- Dates of service, e.g., date of admission, discharge
- Medical records, reports, test results, appointment dates
Electronic Protected Health Information (ePHI) is protected by State and Federal Laws
State Laws: Oregon ORS 192.553: Policy for protected health information.
Federal Laws: HIPAA Privacy & Security Laws mandate protection and safeguards for access, use and disclosure of PHI and/or ePHI with sanctions for violations.