IS-3 Data Classification Protection Levels

The UC Davis Data Classification Protection levels are used for assessing the potential adverse impact that loss of confidentiality, integrity or availability of Institutional Information and IT Resources would have upon the Campus. Considerations for evaluating potential adverse impact to UC Davis due to loss of data or resource confidentiality, integrity, or availability include: Loss of critical Campus operations; Negative financial impact (money lost, lost opportunities, value of the data); Damage to the reputation of the Institution; Risk of harm to individuals (such as in the case of a breach of personal information); Potential for regulatory or legal action; Requirement for corrective actions or repairs; Violation of University of California or UC Davis mission, policy, or principles.

Protection Level P4

Adverse Business Impact: High

Institutional Information and IT Resources that require notification to affected parties in case of a confidentiality breach. This category also includes data and systems that create extensive "Shared-Fate" risk, where a compromise would cause further and extensive compromise among multiple (even unrelated) sensitive systems.  Unauthorized disclosure or modification of P4 data or resources could result in significant fines or penalties, regulatory action, or civil or criminal violations. If P4 data or resources are exposed or compromised, there is inherent significant risk to UC reputation and business continuity, along with harm or impairment to UC students, patients, research subjects, employees, or guests/program participants.

Examples
  • Social security number (SSN), Driver's license number, or California State identification number, Passport documentation (images and numbers), Personal health insurance information, Financial account numbers, credit or debit card numbers and financial account security codes, access codes, or passwords, Personal medical information, including protected health information (PHI) covered under HIPAA, Passwords, PINs and passphrases, or other authentication secrets that can be used to access P2 to P4 information or to manage IT Resources, A username or email address, in combination with a password or security question and answer that would permit access to an online account
  • General Data Protection Regulation (GDPR) special categories (Article 9 ‘sensitive’) of identifiers.
  • Federal Controlled Unclassified Information (CUI)
  • Financial aid and student loan information; Financial, accounting, and payroll systems
  • Individually identifiable human subject research data containing P4 data elements, or that the Institutional Review Board (IRB) determines is high risk/P4
  • High risk export- controlled data or technology (DoE 10 CFR Part 810, high-risk EAR/ITAR). Contact the Export Control Office for a determination.
  • Industrial Control Systems affecting life and safety

Protection Level P3

Adverse Business Impact: Moderate

Institutional Information and IT Resources whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in moderate fines, penalties or civil actions. This classification level also includes lower risk items that, when combined, represent an increased risk. Unauthorized disclosure or modification of P3 data or resources could result in legal action, harm the privacy of a group, cause moderate financial loss, or contribute to reputational damage.

Examples
  • Personally identifiable information not already classified as P4. Includes personal information as defined in the General Data Protection Regulation (GDPR)
  • FERPA-Protected Student Records (including Student ID) not containing P4 information. Does not include P2 Public Directory Information
  • Security camera recordings, Building entry records
  • Data related to animal research projects , Industrial control systems affecting operations, Attorney-Client Privileged Information
  • Research information classified as Protection Level 3 (P3) by an Institutional Review Board (IRB)
  • Low risk export controlled data or technology (EAR/ITAR). Contact the Export Control Office for a determination.
  • IT security information, exception requests and system security plans
  • Staff and academic Personnel Records (including Employee ID) not containing P4 information. Does not include P2 Public Directory Information

Medical devices supporting diagnostics (not containing P4 information)

Protection Level P2

Adverse Business Impact: Low

Institutional Information and IT Resources that may not be explicitly protected by statutes or other contractual regulations, but are not commonly intended for public use or access and should only be accessed on a need-to-know basis. Unauthorized disclosure or modification of P2 data could result in minor damage or small financial los or cause a minor impact on the privacy of an individual or group.

Examples
  • Information intended for release only on a need-to-know basis, including personal information not otherwise classified as P1, P3 or P4
  • Non-P3/P4 data protected or restricted by contract, grant, or other agreement terms and conditions
  • De-identified(link is external) human subject or patient information (with negligible re-identification risk and no Notice-Triggering data elements)
  • Routine email and business records not containing P3 or P4 information
  • Exams (questions and answers)
  • Calendar information not containing P3 or P4 information
  • Meeting notes not containing P3 or P4 information
  • Non-public research using publicly available data
  • Public Directory Information for faculty, staff, and students who have not requested a FERPA block
  • Licensed software/software license keys
  • Library paid subscription electronic resources

 

Protection Level P1

Adverse Business Impact: Minimal

Information intended for public access, but whose integrity is important. For P1, unauthorized modification is the primary protection concern. The application of minimum security requirements is sufficient. Examples include:

Examples
  • Public-facing informational websites
  • Course listings and prerequisites
  • Public event calendars
  • Hours of operation
  • Parking regulations
  • Press releases
  • Published research

Reference: https://iet.ucdavis.edu/security/uc-davis-data-classification-guide

Updated May 2022