Guide: Data Protection Levels
In accordance with UC Electronic Information Security Policy (IS-3), university data is classified into four Protection Levels based on the impact a breach would have on UC Santa Cruz. The higher the protection level, the more security controls are required.
Report a security incident
If you suspect an information security incident involving P3 or P4 data, you must report it promptly.
Data protection levels
Learn more about protection levels and examples of data and IT resources classified at that level. For a more complete list of examples, see the UC’s Classification of Information and IT Resources. If you are unsure about particular data, contact your Unit Information Security Lead (login required) for guidance.
High data protection (P4)
Institutional information and IT resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Examples include:
- Controlled unclassified information (CUI)
- Controlled technical information (CTI)
- Covered defense information (CDI)
- Credit card data
- Financial records or payroll records
- Industrial control systems (ICS) affecting life and safety
- Intellectual property classified at P4
- Passport documentation (images and numbers)
- Passwords, PINs, and pass phrases
- Personally identifiable information (PII)
- Protected health information (PHI)
- Research data (identifiable and/or sensitive human subject data)
- Research data (export-controlled data)
- Student disability information
- Student financial aid
Moderate data protection (P3)
Institutional information and related IT resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Examples include:
- Animal research protocols
- Attorney/client privileged information
- Building entry records
- Federal data (certain types: FISMA)
- Individually identifiable location data that tracks an individual’s movement or building/room level location
- Industrial control systems affecting operations
- Intellectual property not classified as P4
- IT security info and plans
- Medical devices supporting diagnostics (not containing data classified as P4)
- Personal data as defined in GDPR
- Physical building designs
- Research data (identifiable human subject data not classified as P4)
- Research data (export-controlled data not classified as P4)
- Student education records (FERPA)
- Student special services records (accommodations)
- UC personnel records
- Video (Security camera recordings, body worn video system recordings, and cameras recording cash handling or payment card handling areas)
Low data protection (P2)
Institutional information and related IT resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access. Examples include:
- Building plans
- Emails, calendar information, meeting notes or other business records and documentation (not containing P3 or P4 data)
- Exams (questions and answers)
- Library paid subscription electronic resources
- Licensed software/software license keys
- Need-to-know information (intended for release only on a need-to-know basis.
- Non P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions*
- Personal information (not otherwise classified a P1, P3, or P4)
- Research data using publicly available data*
- Research data for non-public research using publicly available data*
- Research data (de-identified)
- UC directory info (where no FERPA block is requested)*
*Data may also be subject to IRB regulations if collected as part of a human subjects research study.
Minimal data protection (P1)
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. Examples include:
- Course catalog
- Event calendars (public)
- Hours of operation
- Parking regulations
- Press releases
- Research (published)
- Websites (public)
Principles for protecting P3 – P4 data
- Comply: Confirm you are complying with the UC Minimum Security Standard and other secure practices by following all steps under How to Stay Secure.
- Authorization: Be sure that you have proper authorization and training prior to accessing P3-P4 data. Learn more in the Authorization to handle P3 and P4 data section.
- Do not share: Never share or discuss P3-P4 data with unauthorized individuals.
- Safe storage: Store the minimum amount of P3-P4 data possible, and know where it is stored.
- Shred: Always shred physical documents with P3-P4 data when they are no longer needed.
- Sign: Read and sign UCSC’s Access to Information Statement (required for all ITS staff).
- Delete: Securely delete P3-P4 data when there is no longer a business need for its retention. Don’t forget email, attachments, screenshots, old or previous versions of files, drafts, archives, copies, backups, CDs/DVDs, old floppy disks, etc. Learn how to securely delete files on Macs and PCs or how to securely delete emails.
Authorization to handle P3 and P4 data
- Background checks and/or fingerprinting are required when hiring or reassigning individuals to critical positions with access to P3-P4 data.
- Employees whose jobs involve working with P3-P4 data must receive IT Security Awareness Training on basic computer security awareness, security incident response, practices for protecting P3-P4 data, and relevant policy requirements.
- Additional training may be required for access to specific regulatory protected data. For additional information, contact Staff Human Resources or the Academic Personnel Office.
Best practices for protecting P3 and P4 data
- Keep P4 data out of the cloud
- Don’t put sensitive information in locations that are accessible from the Internet
- Refrain from capturing P3 and P4 data in screenshots
- Encrypt all P3 and P4 data when it is stored or transmitted
- Applies to P3 and P4 data that is online, remotely accessible, in emails, file transfers, and workstation/server communications, as well as P3 and P4 data stored in a physical or virtual database, on a file server, or in an archival server.
- Design database systems so that P3 and P4 data can be identified, and avoid using P3 and P4 data elements as the “key” to a database. Be sure you know who has access to server folders before you put P4 data there.
- Confirm share settings in Google Drive before you put P3 data there.
- Use Email and File Encryption (Virtru) to protect the transmission of P3 and P4 data. Avoid standard (unencrypted) email and unencrypted Instant Messaging (IM). Sensitive information should not be sent through the campus email service.
- Notify any recipients of P3 and P4 data that the data requires security protections.
- Avoid using public wireless networks and set devices to “ask” before joining new networks so you don’t unknowingly connect to unsecured wireless networks.
- Instead, use secure networks such as eduroam on-campus and Campus Virtual Private Network (VPN) off-campus to transmit P3 and P4 data.
- Don’t install unknown or unsolicited programs, such as toolbars or browser extensions, on your computer. These can harbor behind-the-scenes computer viruses or open a “back door” giving others access to your computer without your knowledge.
- Destroy or completely and securely remove P3 and P4 data from computers, electronic devices, and electronic media (including backups) before disposal, reuse, or reassignment. See Computer Surplus and Disposal for more information.
- Be prepared for a disaster or other emergency, all P3 and P4 data must be backed up regularly to a physically secure location, encrypted, and transported securely. Be familiar with your department’s or unit’s disaster recovery plan and emergency operations procedures for the protection of P3 and P4 data.
- Include required contractual terms and conditions for third party vendors that will collect, process, or maintain UC Institutional Information and/or access IT Resources via the Appendix Data Security (DS).
- Report security incidents involving P3 and P4 data promptly, whether they are suspected or actual violations, via the Report an Incident form.
Related policies
These data protection levels are in accordance with the University of California’s IS-3 Electronic Information Security policy. Learn more about the IS-3 policy: