Protection Levels for UC Institutional Information

Overview

In accordance with UC's IS-3 Electronic Information Security policy, university data (also known as institutional information) and IT resources are classified into one of four Protection Levels based on the legal impact a breach would have on UC Santa Cruz. P4 data requires the most security controls and P1 data requires a minimal set of controls. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see UC's Classification of Information and IT Resources page.

Proprietors, with the support of their Subject Matter Experts (SMEs) and Unit Information Security Leads (UISLs), are responsible for determining the Protection Level for institutional information and IT resources under their area of responsibility. It is important to classify data accurately so that appropriate compliance requirements can be identified. 

The following section defines each Protection Level and provides examples of data and IT resources that should be classified at that level. These examples are not exhaustive. If you are unsure about particular data, contact your UISL for guidance.

Data Protection Level Classifications

P4 - High

p4-graphic.png

Institutional information and IT resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. 

Examples of P4 Data

Financial records or payroll records

Passwords, PINs, and passphrases

 Passport documentation (images and numbers)

Credit card data

Identifiable and/or sensitive human subjects research data

Personally identifiable information (PII)

Student financial aid

Export-controlled research data Protected health information (PHI
Student disability information 

Controlled unclassified information (CUI)

Covered defense information (CDI)

 Controlled technical information (CTI)

Intellectual property classified at P4

Industrial control systems (ICS) affecting life and safety

 

P3 - Moderate

p3-graphic.png

Institutional information and related IT resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions (Proprietary). 

Examples of P3 Data

Building entry records

 Individually identifiable location data that tracks an individual's movement or building/room-level location*

Security camera recordings, body-worn video system recordings, and cameras recording cash handling or payment card handling areas

Student education records (FERPA)

 UC personnel records

 Attorney-client privileged information

Student special services records (accommodations)

IT security info and plans

Physical building designs

Identifiable human subject research data not classified as P4 

Animal research protocols Export-controlled research data (EAR/ITAR) not classified as P4

Intellectual property not classified as P4

Certain types of federal data (FISMA)

Personal data as defined in GDPR

Industrial control systems affecting operations

Medical devices supporting diagnostics (not containing P4 information)

 

P2 - Low

p2-graphic.png

Institutional information and related IT resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access (Internal).

Examples of P2 Data

Emails, calendar information, meeting notes or other business records and documentation (not containing P3 or P4 data)

Licensed software/software license keys

UC directory info (where no FERPA block is requested)*

Building plans

Exams (questions and answers)

Library paid subscription electronic resources

Research using publicly available data*

Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions*

Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4

Non-public research using publicly available data*

De-identified research data

 

P1 - Minimal

p1-graphic.png 

Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern (Public). 

 Examples of P1 Data

Hours of operation

Parking regulations

Course catalogs

Press releases

Public websites 

Public event calendars

Published research

*Please note that such data may also be subject to IRB regulations if collected as part of a human subjects research study.

Related Documents and Policies

Get Help

Contact the ITS Support Center if you need assistance with IT security or IS policy.