Protection Levels for UC Institutional Information


In accordance with UC's IS-3 Electronic Information Security policy, university data (also known as Institutional Information) and IT resources are classified into one of four Protection Levels based on the legal impact a breach would have on UC Santa Cruz. P4 data requires the most security controls and P1 data requires a minimal set of controls. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see UC's Classification of Information and IT Resources page.

Proprietors, with the support of their Subject Matter Experts (SMEs) and Unit Information Security Leads (UISLs), are responsible for determining the Protection Level for Institutional Information and IT resources under their area of responsibility. It is important to classify data accurately so that appropriate compliance requirements can be identified. 

The following section defines each Protection Level and provides examples of data and IT resources that should be classified at that level. These examples are not exhaustive. If you are unsure about particular data, contact your UISL for guidance.

Data Protection Level Classifications

P4 - High


Institutional Information and IT resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. 

Examples of P4 Data

Personally Identifiable Information (PII)

Intellectual property classified at P4 

Credit card data

Personal Data as defined in GDPR

Controlled Unclassified Information (CUI)

Student financial aid

Protected Health Information (PHI)

Covered Defense Information (CDI)

Financial records or payroll records

Identifiable Human Subject Research Data

Controlled Technical Information (CTI)

Passport documentation (images and numbers)

Export Controlled Research Data (EAR/ITAR)

Student disability information 

Industrial Control Systems affecting life and safety

Passwords, PINs, and passphrases


P3 - Moderate


Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions (Proprietary). 

Examples of P3 Data

Student Education Records (FERPA)

IT Security Info and Plans

UC Personnel Records

Student Special Services Records (accommodations)

Attorney-Client Privileged Information

Physical Building Designs

Intellectual property not classified as P4

Certain types of federal data (FISMA)

Building entry records

Identifiable Human Subject Research Data not classified as P4 

Animal Research Protocols

Individually identifiable location data that tracks an individual's movement or building/room-level location*

Export Controlled Research Data (EAR/ITAR) not classified as P4

Medical devices supporting diagnostics (not containing P4 information)

Security camera recordings, body-worn video system recordings, and cameras recording cash handling or payment card handling areas

Industrial control systems affecting operations


P2 - Low


Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access (Internal).

Examples of P2 Data

Emails, calendar information, meeting notes or other business records and documentation (not containing P3 or P4 data)

Licensed software/software license keys

UC directory info (where no FERPA block is requested)*

Building plans

Exams (questions and answers)

Library paid subscription electronic resources

Research using publicly available data*

Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions*

Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4

Non-public research using publicly available data*

De-identified research data


P1 - Minimal


Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern (Public). 

 Examples of P1 Data

Hours of operation

Parking regulations

Course catalogs

Press releases

Public websites 

Public event calendars

Published research

*Please note that such data may also be subject to IRB regulations if collected as part of a human subjects research study.

Related Documents and Policies

Get Help

Contact the ITS Support Center if you need assistance with IT security or IS policy.