Chapter 4 – Information Technology

49020.6.2 Classification of Information

• CDCRCalifornia Department of Corrections and Rehabilitation’s records, automated files, and databases are essential public resources that must be given appropriate protections from unauthorized use, access, disclosure, modification, loss, or deletion. The discovery and classification of CDCRCalifornia Department of Corrections and Rehabilitation Information Assets is a continuing endeavor and requires the ongoing support of information owners and other stakeholders.

  • The EISEnterprise Information Services (formerly Information Services Division) Enterprise Architecture organization is responsible for maintaining and facilitating the processes and procedures for enterprise governance of CDCRCalifornia Department of Corrections and Rehabilitation Information Assets and engaging Information Owners and Stakeholders for Information Security Classification decision-making and governance.

  • Information Owners are responsible for reviewing and classifying information, solely or with others, for information they own or share ownership of, and for participating in the CDCRCalifornia Department of Corrections and Rehabilitation Information Governance process; the final ruling for Security Classification decisions rests with the Information Owners.

  • Stakeholders are responsible for raising Information security concerns with respect to Information Security Classification and ensuring information is treated appropriately based on duly made classification decisions.

  • All users of CDCRCalifornia Department of Corrections and Rehabilitation Information are responsible for protecting CDCRCalifornia Department of Corrections and Rehabilitation Information under their control or influence from unauthorized use, access, disclosure, modification, loss, or deletion, including notifying appropriate CDCRCalifornia Department of Corrections and Rehabilitation authorities when vulnerabilities to CDCRCalifornia Department of Corrections and Rehabilitation Information is noticed or when Security Classifications or protections for CDCRCalifornia Department of Corrections and Rehabilitation Information appear inadequate.

• CDCRCalifornia Department of Corrections and Rehabilitation will classify each record, file, and database using the following classification structure:

  • Public Information – information maintained by CDCRCalifornia Department of Corrections and Rehabilitation that is not exempt from disclosure under the provisions of the California Public Records Act (GCGovernment Code §§ 6250-6265) or other applicable state or federal laws (SAMState Administrative Manual § 5320.5).

  • Confidential Information – information maintained by CDCRCalifornia Department of Corrections and Rehabilitation that is exempt from disclosure under the provisions of the California Public Records Act (GCGovernment Code §§ 6250-6265) or other applicable state or federal laws (SAMState Administrative Manual § 5320.5).

  • High Risk Confidential Information (HRCI) – Non-public information that if disclosed could result in a significant harm (including financial, legal, risk to life and safety or reputational damage) to the CDCRCalifornia Department of Corrections and Rehabilitation or individual(s) if compromised through alteration, corruption, loss, misuse, or unauthorized disclosure. Examples of HRCI include, but are not limited to, information such as the following:

    • Personally identifiable information such as person’s name in conjunction with the person’s social security, credit or debit card information, individual financial account, driver’s license number, state IDInstitutions Division (see DAI) number, or passport number, or a name in conjunction with biometric information;

    • Personal health information such as any information about health status, provisions of health care, or payment for health care information as protected under the Health Insurance and Portability Act of 1996;

    • Correctional Offender Record Information as defined in California PCPenal Code §§ 13100-13104;

    • All ITInformation Technology infrastructure information that would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency, including but not limited to firewall and router configurations, server names, IP addresses, and other system configurations;

    • Any document which contains information identifying any Confidential Informant, or confidential information provided, as defined in CCRCalifornia Code of Regulations Title 15, § 3321;

    • Any documentation of information which contains information or data within any Gang Data Base as defined in the Department Operations Manual (DOMDepartment Operations Manual) §§ 52070.22 through 52070.24;

    • Records of investigations, intelligence information, or security procedures as specified in the PRAPublic Records Act Section 6254(f).

  • Personnel, medical, or similar files, the disclosure of which would constitute an unwarranted invasion of personal privacy protected under the California Government Code § 6254(c) or the Peace Officers Bill of Rights under Government Code §§ 3300 et seq.

  • Sensitive Information – information maintained by CDCRCalifornia Department of Corrections and Rehabilitation that requires a higher than normal assurance of accuracy and completeness. Thus the key factor for sensitive information is that of integrity. Typically, sensitive information includes records of financial transactions and regulatory actions.

• Personal Information requested by researchers not under the authority of CDCRCalifornia Department of Corrections and Rehabilitation may only be received by University of California or other non-profit educational institutions and in accordance with the provisions set forth in law, including the prior review and approval by the Committee for the Protection of Human Subjects (CPHS) of the California Health and Human Services Agency before such information is released (SAMState Administrative Manual § 5320.5). See Civil Code § 1798.24(t).