Skip to main content

System Status: 

Data Classification - Four Protection Levels

University data is classified into four Protection Levels based on the impact a breach would have on UC San Diego. The higher the protection level, the more security controls are required.

Protection Level

Information and IT resources must be protected based on their value and risk.

It is important to classify them correctly. If they are over-classified, it can create unnecessary work, cost, and compliance requirements. If they are under-classified, they may not have enough protection, which could lead to data loss, security issues, or system compromise.

Protection levels
Protection Level Impact of disclosure or compromise Examples

🔴 P4 – High Protection Level

Optional Meaning: Highest‑risk data; strictest controls

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory, and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location, or essential services. (Statutory.)

🟠 P3 – Moderate Protection Level

Optional Meaning: Sensitive/confidential data

Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties, or civil actions. Institutional Information, for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community, and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower-risk items that, when combined, represent increased risk. (Proprietary.)

🟡 P2 – Low Protection Level

Optional Meaning: Internal‑use data

Institutional Information and related IT Resources that may not be specifically protected by statute, regulations, or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification, or loss could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group. (Internal)
  • Business records and documentation not containing P3 and P4 data
  • Email, calendar, or meeting notes
  • Research using publicly available data
  • UC directory information (where no FERPA block is requested)
  • Building plans

🟢 P1 – Minimal Protection Level

Optional Meaning: Public or minimally restricted data

Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. (Public.)
  • Hours of operation
  • Parking regulations
  • Course catalogs
  • Press releases
  • Public websites
For more information on the Classification of Information and IT Resources, please visit the hyperlinked page.