Data Classification and Protection Levels

Data Classification Protection Levels:

Impact of loss of confidentiality or integrity

UC and campus policies establishe that Institutional Information and IT Resources must be protected according to their Protection Level and Availability Level classifications. Summary definitions and key examples of each Protection Level are included below. Full definitions and additional examples are available in the Protection Level Classification Table within the Data Classification Standard.  Additionally, a printable copy of the chart below is available for download.

Protection Level:

Summary Definition:

Key Examples:

P4 Level Flag

Information and IT Resources requiring the highest level of confidentiality or integrity, including Notice-Triggering data and "Shared-Fate" data and systems.
  • “Notice-triggering” data elements such as SSN and other government-issued ID numbers, driver’s license, financial account numbers, credit card numbers, personal medical or personal health insurance information, and others
  • Passwords, PINs, passphrases, and private keys
  • Personally identifiable financial aid and student loan information
  • Official financial, accounting, and payroll systems of record
  • High risk human subject research data, including certain types of human genomic information
  • Industrial Control Systems affecting life and safety
P3 Level Flag

Information and IT Resources whose unauthorized use, access, disclosure, modification, loss or deletion could result in moderate harm or damage.
  • Most personally identifiable information not already classified as P4 or P2
  • FERPA-Protected Student Records not containing P4 information
  • Staff and academic Personnel Records not containing P4 information
  • Individually identifiable location data
  • Animal research protocols
P2 Level Flag

Institutional Information and IT Resources that are generally not intended for public use or access and may only be accessed on a need-to-know basis.
  • Information intended for release only on a need-to-know basis
  • De-identified human subject or patient information (with negligible re-identification risk and no Notice-Triggering data elements)
  • Public Directory Information for faculty, staff, and students who have not requested a FERPA block
  • UC Path Employee ID
  • Exams (questions and answers)
P1 Level Flag

Information intended for public access, but whose integrity is important.
  • Public-facing informational websites
  • Course listings and prerequisites
  • Press releases
  • Published research
  • Public event calendars