Approved by Employee Data Management Group (EDMG) March 2, 2020

Security Levels for Human Capital Management (HCM) Data

Types of Data Elements Public Confidential Highly Confidential
Directory Information
first and last name, business title, official university email, department name, department address, campus
X X X
Personnel Records
employee ID, universal ID, operator ID, pronouns, birthdate, address, phone number, personal email, emergency information, position number, job data, compensation, contract details, supervisor, performance ratings, training records, payroll data, benefit elections, tax information, time collection, leave requests, employment application information
  X X
Protected by Law
Social Security number, taxpayer ID, national ID, race, ethnicity, religion, national origin, citizenship, legal presence, visas, age, sex, marital status, disability, military status, veteran status, bank account numbers, dependent information
    X

In PeopleSoft HCM, records (database tables) are assigned to query trees for reporting purposes. Access to one or more query trees is granted based on assigned roles and gives users access to all records found on the corresponding query trees. Typically, records containing higher level data are assigned to query trees that are only accessible to those in roles who must be able to query that level of data en masse. Query tree access does not affect page access.

PeopleSoft HCM also utilizes row level security which enables users to access a record without viewing all rows of the record. Row level security is typically implemented for records with position and/or employee data. Row level security applies to most page access, as well as Query, a built-in reporting tool.

See Standards for Data classification and System Security Categorization  for more information about data classifications.  The data elements above should be handled in a manner consistent with the corresponding classification.  In many cases, this means the security protections may be more strict, though they should never be less rigorous than required.