Protection Levels for UC Institutional Information

Under the IS-3 Electronic Information Security policy, university data is classified in one of four categories, known as Protection Levels. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see the Classification of Information and IT Resources Guide. ITS has also created a data resource classification page for quick reference.

Protection Level 

Impact of Disclosure Examples

Protection Level P4

P4 - High

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations (Statutory).
  • Financial Records
    • Credit Card, Financial Aid, Payroll 
  • Personally Identifiable Information (PII)
    • Large collections or special sensitivity to privacy
  • Protected Health Information (patient records)
  • Social Security Numbers
  • Sensitive or Identifiable Research Data
    • Export Controlled (ITAR), Human Subject research
    • Human subject research data with individual identifiers
  • Controlled Unclassified Information (CUI)

Protection Level P3

P3 - Moderate

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions (Proprietary). 

  • Student Education Records (FERPA)
  • IT Security Info and Plans
  • UC Personnel Records
  • Attorney-Client Privileged Information
  • Research classified as P3 by the IRB

Protection Level P2

P2 - Low

Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access (Internal).
  • Business records and documentation not containing P3 or P4 data
    • email, calendar, meeting notes
  • Research using publicly available data
  • UC directory info (where no FERPA block is requested)
  • Building Plans
  • Calendar information not containing P3 or P4 information
  • Routine email not containing P3 or P4 information
  • Meeting notes not containing P3 or P4 information


Protection Level P1

P1 - Minimal

Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern (Public). 
  • Hours of operation
  • Parking regulations
  • Course catalogs
  • Press releases
  • Public websites 
  • Public event calendars

P4 requires the most security controls and P1 requires a minimal set of controls. It is important to classify the information accurately so that appropriate compliance requirements can be identified.  Under-classification may result in inadequate protections that could lead to data breaches. Classifications should be applied in compliance requirements as outlined in UC or campus policy, law, regulation or contract. For more examples, definitions, and key terms see UC Institutional Information and IT Resource Classification Standard.

 Contact the ITS Support Center if you need assistance with IT security or IS policy.