Protection Levels for UC Institutional Information
Overview
In accordance with UC's IS-3 Electronic Information Security policy, university data (also known as institutional information) and IT resources are classified into one of four Protection Levels based on the legal impact a breach would have on UC Santa Cruz. P4 data requires the most security controls and P1 data requires a minimal set of controls. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see UC's Classification of Information and IT Resources page.
Proprietors, with the support of their Subject Matter Experts (SMEs) and Unit Information Security Leads (UISLs), are responsible for determining the Protection Level for institutional information and IT resources under their area of responsibility. It is important to classify data accurately so that appropriate compliance requirements can be identified.
The following section defines each Protection Level and provides examples of data and IT resources that should be classified at that level. These examples are not exhaustive. If you are unsure about particular data, contact your UISL for guidance.
Data Protection Level Classifications
P4 - High
|
|
Institutional information and IT resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. |
Examples of P4 Data
| Financial records or payroll records |
Passwords, PINs, and passphrases |
Passport documentation (images and numbers) |
| Identifiable and/or sensitive human subjects research data | ||
| Export-controlled research data | Protected health information (PHI | |
| Student disability information | Covered defense information (CDI) | |
| Industrial control systems (ICS) affecting life and safety |
P3 - Moderate
|
|
Institutional information and related IT resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions (Proprietary).
|
Examples of P3 Data
|
Building entry records |
Individually identifiable location data that tracks an individual's movement or building/room-level location* |
Security camera recordings, body-worn video system recordings, and cameras recording cash handling or payment card handling areas |
| Student special services records (accommodations) | Physical building designs | |
|
Identifiable human subject research data not classified as P4 |
Animal research protocols | Export-controlled research data (EAR/ITAR) not classified as P4 |
| Personal data as defined in GDPR | ||
|
Industrial control systems affecting operations |
Medical devices supporting diagnostics (not containing P4 information) |
P2 - Low
|
|
Institutional information and related IT resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access (Internal). |
Examples of P2 Data
|
Emails, calendar information, meeting notes or other business records and documentation (not containing P3 or P4 data) |
Licensed software/software license keys |
UC directory info (where no FERPA block is requested)* |
|
Building plans |
Exams (questions and answers) |
Library paid subscription electronic resources |
|
Research using publicly available data* |
Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions* |
Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4 |
|
Non-public research using publicly available data* |
De-identified research data |
P1 - Minimal
|
|
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern (Public). |
Examples of P1 Data
|
Hours of operation |
Parking regulations |
Course catalogs |
|
Press releases |
Public websites |
Public event calendars |
|
Published research |
*Please note that such data may also be subject to IRB regulations if collected as part of a human subjects research study.
Related Documents and Policies
- Data Classification - Availability Levels
- Data and Resource Classification Guideline
- UC BFB-IS-3: Electronic Information Security
- UC Institutional Information and IT Resource Classification Standard and Guides
- General Data Protection Regulation (GDPR) Information
- NIH Data Management and Sharing Policy
Get Help
Contact the ITS Support Center if you need assistance with IT security or IS policy.
- IT Policies
- Data and IT Resource Classification
- Protection Levels for UC Institutional Information
- Security Web Site
- Availability Levels for UC Institutional Information
- IT Policy Glossary
- IS-3: Information Security Policy
- IS-12: IT Recovery Policy
Need Help?
Call: (831) 459-HELP (9-4357)
Email: help@ucsc.edu
