Skip to main content

System Status: 

  1. Home
  2. Buy & Pay
  3. Buying Goods
  4. Computers & Technology
  5. Software
  6. Protection Levels

Protection Levels

Last Updated: May 26, 2026 9:36:29 AM PDT
Give feedback

University data is classified into four Protection Levels based on the impact a breach would have on UC San Diego. The higher the protection level, the more security controls are required.

Information and IT Resources must be properly protected based on the value of the Institutional Information and IT Resource and the likelihood that the information or resource may be targeted for theft. It is important to classify assets accurately as over-classification may result in additional complexity, cost and compliance requirements. Under-classification may result in inadequate protections that could lead to data or resource compromise.

Protection Level Summary Definition Examples

P4

High

 Information and IT Resources requiring the highest level of confidentiality or integrity, including Notice-Triggering data and "Shared-Fate" data and systems.
  • “Notice-triggering” data elements such as SSN and other government-issued ID numbers, driver’s license, financial account numbers, credit card numbers, personal medical or personal health insurance information, and others
  • Passwords, PINs, passphrases, and private keys
  • Personally identifiable financial aid and student loan information
  • Official financial, accounting, and payroll systems of record
  • High risk human subject research data, including certain types of human genomic information
  • Industrial Control Systems affecting life and safety

P3

Moderate

 Information and IT Resources whose unauthorized use, access, disclosure, modification, loss or deletion could result in moderate harm or damage.
  • Most personally identifiable information not already classified as P4 or P2
  • FERPA-Protected Student Records not containing P4 information
  • Staff and academic Personnel Records not containing P4 information
  • Individually identifiable location data
  • Animal research protocols

P2

Low

 Institutional Information and IT Resources that are generally not intended for public use or access and may only be accessed on a need-to-know basis.
  • Information intended for release only on a need-to-know basis
  • De-identified human subject or patient information (with negligible re-identification risk and no Notice-Triggering data elements)
  • Public Directory Information for faculty, staff, and students who have not requested a FERPA block
  • UC Path Employee ID
  • Exams (questions and answers)

P1

Minimal

 Information intended for public access, but whose integrity is important.
  • Public-facing informational websites
  • Course listings and prerequisites
  • Press releases
  • Published research
  • Public event calendars
For more information on the Classification of Information and IT Resources, please visit the hyperlinked page.