Data Classification - Four Protection Levels

Under the IS-3 Electronic Information Security policy, university data is classified into one of four categories, known as Protection Levels. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see the Classification of Information and IT Resources Guide.

P4 - High Protection Level

Impact of disclosure or compromise	Examples
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory, and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location, or essential services. (Statutory.)	Financial records: credit card, financial aid, payroll Personally Identifiable Info (PII) Social security numbers Sensitive or identifiable research data: human subject, export controlled U.S. State Department International Traffic in Arms Regulations (ITAR)

Impact of disclosure or compromise

Examples

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory, and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location, or essential services. (Statutory.)

Financial records: credit card, financial aid, payroll
Personally Identifiable Info (PII)
Social security numbers
Sensitive or identifiable research data: human subject, export controlled U.S. State Department International Traffic in Arms Regulations (ITAR)

P3 - Moderate Protection Level

Impact of disclosure or compromise	Examples
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties, or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community, and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower-risk items that, when combined, represent increased risk. (Proprietary.)	Student Education Records (FERPA) IT Security information and plans UC personnel records Attorney-client privileged information Research classified as P3 by the Institutional Review Board (IRB)

Impact of disclosure or compromise

Examples

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties, or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community, and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower-risk items that, when combined, represent increased risk. (Proprietary.)

Student Education Records (FERPA)
IT Security information and plans
UC personnel records
Attorney-client privileged information
Research classified as P3 by the Institutional Review Board (IRB)

P2 - Low Protection Level

Impact of Disclosure	Examples
Institutional Information and related IT Resources that may not be specifically protected by statute, regulations, or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification, or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. (Internal)	Business records and documentation not containing P3 and P4 data Email, calendar, or meeting notes Research using publicly available data UC directory information (where no FERPA block is requested) Building plans

Impact of Disclosure

Examples

Institutional Information and related IT Resources that may not be specifically protected by statute, regulations, or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification, or loss could result in minor damage or small financial loss, or cause minor impact on the privacy of an individual or group. (Internal)

Business records and documentation not containing P3 and P4 data
Email, calendar, or meeting notes
Research using publicly available data
UC directory information (where no FERPA block is requested)
Building plans

P1 - Minimal Protection Level

Impact of disclosure or compromise	Examples
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. (Public.)	Hours of operation Parking regulations Course catalogs Press releases Public websites