1. Purpose
Establishes guidelines for classifying and handling Institutional Information to ensure compliance with UC’s IS-3 policy and protect sensitive data from unauthorized access or loss.
2. Scope
These guidelines should be followed by all faculty, staff, researchers, and students handling Institutional Information in any format (digital or physical).
3. Data Classification Levels
Institutional Information is classified into four levels based on sensitivity and regulatory requirements:
- P1 - Public: Information intended for public access (e.g., course catalogs, public research data).
- P2 - Internal: Information not for public release but with minimal risk if disclosed (e.g., internal memos).
- P3 - Confidential: Information requiring restricted access due to legal, contractual, or privacy concerns (e.g., employee records, unpublished research).
- P4 - Highly Confidential: Information that, if disclosed, could cause significant harm (e.g., financial data, patient records).
4. Handling and Security Controls
- Storage: P3 and P4 data must be stored in encrypted and access-controlled environments.
- Transmission: P3 and P4 data must be transmitted via encrypted channels.
- Access Control: Access to P3 and P4 data is restricted to authorized personnel only.
- Disposal: Data classified as P3 or P4 must be securely deleted following UC’s Institutional Information Disposal Standard.
5. Compliance and Review
- These guidelines will be reviewed annually and updated as necessary to align with IS-3 and other UC security policies. The more detailed and up to date official UC policy can be found here.
For questions regarding these guidelines, contact the Unit Information Security Lead (UISL) at itcontact@bren.ucsb.edu