UC Davis Data Classification Guide

Adverse Business Impact

Institutional Information and related IT Resources that require notification to affected parties in case of a confidentiality breach. This category also includes data and systems that create extensive "Shared-Fate" risk, where a compromise would cause further and extensive compromise among multiple (even unrelated) sensitive systems.

Unauthorized disclosure or modification of P4 data or resources could result in significant fines or penalties, regulatory action, or civil or criminal violations. There is also an inherent significant risk to UC reputation and business continuity, along with harm or impairment to UC students, patients, research subjects, employees, or guests/program participants.

• Data or systems that create extensive "Shared-Fate" risk between multiple sensitive systems, e.g., enterprise credential stores such as the CalNet credential database; Domain Name Service (DNS). This can include both campuswide and unit-level systems. 
• Data elements with a Statutory Requirement for Notification to affected parties in case of a confidentiality breach, such as:
  • Social security number (SSN)
  • Driver's license number
  • California State identification number
  • Financial account numbers, credit or debit card numbers and financial account security codes, access codes, or passwords
  • Personal medical information, including protected health information (PHI) covered under HIPAA(link is external)
  • Personal health insurance information
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account
• General Data Protection Regulation(link is external) (GDPR) special categories (Article 9 ‘sensitive’) of identifiers.
• Passwords, PINs and passphrases, or other authentication secrets that can be used to access P2 to P4 information or to manage IT Resources
• Federal Controlled Unclassified Information (CUI)(link is external)
• Financial aid and student loan information
• Financial, accounting, and payroll systems

• Individually identifiable human subject research data containing P4 data elements, or that the Institutional Review Board (IRB) determines is high risk/P4

• Individually identifiable human genetic information

• High risk export controlled data or technology (DoE 10 CFR Part 810, high-risk EAR/ITAR). Contact the Export Control Office(link sends e-mail) for a determination.
• Industrial Control Systems affecting life and safety
• Passport documentation (images and numbers)

Protection 
Level P3

(formerly UCB PL1

Institutional Information and IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate fines, penalties or civil actions. This classification level also includes lower risk items that, when combined, represent an increased risk. 

Unauthorized disclosure or modification of P3 data or resources could result in legal action, harm the privacy of a group, cause moderate financial loss, or contribute to reputational damage.

• Personally identifiable information not already classified as P4. Includes personal information as defined in the General Data Protection Regulation(link is external) (GDPR)
• FERPA-Protected Student Records (including Student ID) not containing P4 information. Does not include P2 Public Directory Information
• Security camera recordings
• Building entry records
• Data related to animal research projects 
• Attorney-Client Privileged Information
• Research information classified as Protection Level 3 (P3) by an Institutional Review Board (IRB)
• Low risk export controlled data or technology (EAR/ITAR). Contact the Export Control Office(link sends e-mail) for a determination.
• IT security information, exception requests and system security plans
• Staff and academic Personnel Records (including Employee ID) not containing P4 information. Does not include P2 Public Directory Information
• Medical devices supporting diagnostics (not containing P4 information)
• Industrial control systems affecting operations

Protection 
Level P2

(formerly UCB PL0 and PL1)

Institutional Information and IT Resources that may not be explicitly protected by statutes or other contractual regulations, but are not commonly intended for public use or access and should only be accessed on a need-to-know basis. 

Unauthorized disclosure or modification of P2 data could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group.

• Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4
• Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions
• De-identified(link is external) human subject or patient information (with negligible re-identification risk and no Notice-Triggering data elements)
• Routine email and business records not containing P3 or P4 information
• Exams (questions and answers)
• Calendar information not containing P3 or P4 information
• Meeting notes not containing P3 or P4 information
• Non-public research using publicly available data
• Public Directory Information for faculty, staff, and students who have not requested a FERPA block
• Licensed software/software license keys
• Library paid subscription electronic resources

Protection 
Level P1

(formerly UCB PL0)

• Public-facing informational websites
• Course listings and prerequisites
• Public event calendars
• Hours of operation
• Parking regulations
• Press releases
• Published research

• Central Campus authentication systems
• Student learning management system
• Backup data systems for A4 resources
• Central system management consoles
• Core network services, e.g. DNS, border/core routing, and firewalls
• Enterprise email 
• Financial, accounting, and payroll systems
• Building access systems
• Medical records system
• IT infrastructure and industrial control systems affecting life and safety (e.g. emergency 911 location system)

• Event ticketing systems
• Point-of-sale (POS) systems
• Campus time reporting system
• Issue tracking systems
• Security logs
• Building management systems
• File servers supporting business operations
• Operational knowledge base
• Clinical trial management system
• Medical devices supporting diagnostics
• Industrial control systems affecting operations
• Collaboration services such as calendaring, file sharing, code repositories

• Departmental websites
• Student life management system
• Staff learning management system
• Informational knowledge base

• Individual workstations, laptops, and other mobile devices
• Public directory
• Copy machines or printers