Protection Levels for UC Institutional Information


Under the IS-3 Electronic Information Security policy, university data is classified in one of four categories, known as Protection Levels. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see the Classification of Information and IT Resources Guide. ITS has also created a data resource classification page for quick reference.

Jump to Data Classification Table - Protection Levels


This Data Classification Standard covers UC Santa Cruz Institutional Information and IT Resources. This Standard does not apply to Individually-Owned Data, which is defined as an individual’s own personal information that is not considered Institutional Information.

NEW (2023) NIH DMSP: NIH has issued the Data Management and Sharing (DMS) policy (effective January 25, 2023) to promote the sharing of scientific data. Sharing scientific data accelerates biomedical research discovery, in part, by enabling validation of research results, providing accessibility to high-value datasets, and promoting data reuse for future research studies.

Business Impact

Considerations for evaluating potential adverse impact to UC Santa Cruz due to loss of data or resource confidentiality, integrity, or availability include:

  • Loss of critical Campus operations
  • Negative financial impact (money lost, lost opportunities, value of the data)
  • Damage to the reputation of the Institution
  • Risk of harm to individuals (such as in the case of a breach of personal information)
  • Potential for regulatory or legal action
  • Requirement for corrective actions or repairs
  • Violation of University of California or UC Santa Cruz mission, policy, or principles

Data Classification Table - Protection Levels

Table organizing UC's data protection levels with definitions and examples.

Protection Level 

Impact of Disclosure Examples


P4 - High

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations (Statutory).


P3 - Moderate

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions (Proprietary). 


P2 - Low

Institutional Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access (Internal).
  • Business records and documentation not containing P3 or P4 data
    • email, calendar, meeting notes
  • Research using publicly available data*
  • UC directory info (where no FERPA block is requested)*
  • Building Plans
  • Calendar information not containing P3 or P4 information
  • Routine email not containing P3 or P4 information
  • Meeting notes not containing P3 or P4 information
  • Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4
  • Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions*
  • Exams (questions and answers)
  • Non-public research using publicly available data*
  • Licensed software/software license keys
  • Library paid subscription electronic resources



P1 - Minimal

Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern (Public). 
  • Hours of operation
  • Parking regulations
  • Course catalogs
  • Press releases
  • Public websites 
  • Public event calendars
  • Published research

*Please note such data may also be subject to IRB regulations if collected as part of a human subjects research study.

P4 requires the most security controls and P1 requires a minimal set of controls. It is important to classify the information accurately so that appropriate compliance requirements can be identified.  Under-classification may result in inadequate protections that could lead to data breaches. Classifications should be applied in compliance requirements as outlined in UC or campus policy, law, regulation or contract. For more examples, definitions, and key terms see UC Institutional Information and IT Resource Classification Standard.

Related Documents and Policies

Get Help

Contact the ITS Support Center if you need assistance with IT security or IS policy.