Data Classification - Four Protection Levels
University data is classified into four Protection Levels based on the impact a breach would have on UC San Diego. The higher the protection level, the more security controls are required.
Protection Level
Information and IT resources must be protected based on their value and risk.
It is important to classify them correctly. If they are over-classified, it can create unnecessary work, cost, and compliance requirements. If they are under-classified, they may not have enough protection, which could lead to data loss, security issues, or system compromise.
| Protection Level | Impact of disclosure or compromise | Examples |
|---|---|---|
|
🔴 P4 – High Protection Level Optional Meaning: Highest‑risk data; strictest controls |
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory, and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to UC students, patients, research subjects, employees, guests/program participants, UC reputation, the overall operation of the Location, or essential services. (Statutory.) |
|
|
🟠 P3 – Moderate Protection Level Optional Meaning: Sensitive/confidential data |
Institutional Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties, or civil actions. Institutional Information, for which unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate damage to UC, its students, patients, research subjects, employees, community, and/or reputation; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower-risk items that, when combined, represent increased risk. (Proprietary.) |
|
|
🟡 P2 – Low Protection Level Optional Meaning: Internal‑use data |
Institutional Information and related IT Resources that may not be specifically protected by statute, regulations, or other contractual obligations or mandates, but are generally not intended for public use or access. In addition, information of which unauthorized use, access, disclosure, acquisition, modification, or loss could result in minor damage or small financial loss, or cause a minor impact on the privacy of an individual or group. (Internal) |
|
|
🟢 P1 – Minimal Protection Level Optional Meaning: Public or minimally restricted data |
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient. (Public.) |
|