Home / IT Policies / Protection Levels for UC Institutional Information

Protection Levels for UC Institutional Information

Overview

Under the IS-3 Electronic Information Security policy, university data is classified in one of four categories, known as Protection Levels. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see the Classification of Information and IT Resources Guide. ITS has also created a data resource classification page for quick reference.

Jump to Data Classification Table - Protection Levels

Scope

This Data Classification Standard covers UC Santa Cruz Institutional Information and IT Resources. This Standard does not apply to Individually-Owned Data, which is defined as an individual’s own personal information that is not considered Institutional Information.

NEW (2023) NIH DMSP: NIH has issued the Data Management and Sharing (DMS) policy (effective January 25, 2023) to promote the sharing of scientific data. Sharing scientific data accelerates biomedical research discovery, in part, by enabling validation of research results, providing accessibility to high-value datasets, and promoting data reuse for future research studies.

Research covered by the 2023 Data Management and Sharing Policy
FAQs
FAQ: Human Subjects Research and Consent Forms

Business Impact

Considerations for evaluating potential adverse impact to UC Santa Cruz due to loss of data or resource confidentiality, integrity, or availability include:

Loss of critical Campus operations
Negative financial impact (money lost, lost opportunities, value of the data)
Damage to the reputation of the Institution
Risk of harm to individuals (such as in the case of a breach of personal information)
Potential for regulatory or legal action
Requirement for corrective actions or repairs
Violation of University of California or UC Santa Cruz mission, policy, or principles

Data Classification Table - Protection Levels

Table organizing UC's data protection levels with definitions and examples.
Protection Level	Impact of Disclosure	Examples
P4 - High	Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations (Statutory).	Financial Records Credit Card, Financial Aid, Payroll Personally Identifiable Information (PII) Large collections or special sensitivity to privacy Protected Health Information (patient records) Social Security Numbers Sensitive or Identifiable Research Data Export Controlled (EAR/ITAR) Sensitive human subject research data with individual identifiers Individually identifiable human genetic information Controlled Unclassified Information (CUI) Covered Defense Information (CDI) Controlled Technical Information (CTI) Student disability information or other medical information to provide services Intellectual property classified at P4 Passwords, PINs and passphrases, or other authentication secrets that can be used to access P2 to P4 information or to manage IT Resources Industrial Control Systems affecting life and safety Passport documentation (images and numbers) Data or systems that create extensive "Shared-Fate" risk between multiple sensitive systems, e.g., enterprise credential stores such as the CalNet credential database; Domain Name Service (DNS). This can include both campuswide and unit-level systems.
P3 - Moderate	Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions (Proprietary).	Student Education Records (FERPA)- This includes student education records that are utilized in human subjects research IT Security Info and Plans UC Personnel Records Attorney-Client Privileged Information Human subjects research data with individual identifiers Student Special Services Records Certain types of federal data (Pre-CUI) Intellectual property not classified as P4 Physical Building Designs Personally Identifiable Information (PII) and/or Personal Data as defined in GDPR when either is contained in large sets Security camera recordings, body-worn video system recordings, and cameras recording cash handling or payment card handling areas Building entry records Individually identifiable location data that tracks an individual's movement or building/room-level location* Animal research protocols, and data related to animal researchers and members of the animal research committee (IACUC) Medical devices supporting diagnostics (not containing P4 information) Industrial control systems affecting operations
P2 - Low	Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access (Internal).	Business records and documentation not containing P3 or P4 data email, calendar, meeting notes Research using publicly available data* UC directory info (where no FERPA block is requested)* Building Plans Calendar information not containing P3 or P4 information Routine email not containing P3 or P4 information Meeting notes not containing P3 or P4 information Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4 Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions* Exams (questions and answers) Non-public research using publicly available data* Licensed software/software license keys Library paid subscription electronic resources
P1 - Minimal	Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern (Public).	Hours of operation Parking regulations Course catalogs Press releases Public websites Public event calendars Published research

*Please note such data may also be subject to IRB regulations if collected as part of a human subjects research study.

P4 requires the most security controls and P1 requires a minimal set of controls. It is important to classify the information accurately so that appropriate compliance requirements can be identified. Under-classification may result in inadequate protections that could lead to data breaches. Classifications should be applied in compliance requirements as outlined in UC or campus policy, law, regulation or contract. For more examples, definitions, and key terms see UC Institutional Information and IT Resource Classification Standard.

Get Help

Contact the ITS Support Center if you need assistance with IT security or IS policy.