Skip to main content

Help Guide: Identifying P3 and P4 Data

Updated

1. Purpose

This guide helps academic department employees determine whether the data they handle falls under Protection Level 3 (P3) or Protection Level 4 (P4), ensuring compliance with UC’s IS-3 policy. Data classification is critical for securing Institutional Information and meeting regulatory requirements.

2. Understanding P3 and P4 Data

Institutional Information is classified based on the risk posed if the data is exposed, altered, or lost. Below are common examples of P3 and P4 data in academic departments:

P3 Data – Moderate Risk

P3 data requires protection due to potential risks but is not considered highly sensitive. Examples include:

  • Student Affairs: Class enrollment records, student organization memberships, disciplinary actions.

  • Managers & HR Staff: Non-public personnel records, hiring documents, interview notes.

  • Finance Managers: Internal budget reports, department spending plans, purchase requests.

  • Faculty & Staff Emails: Emails discussing confidential department operations, unofficial student performance concerns.

  • Letters of Recommendation: Contains personal assessments but is not highly regulated.

P4 Data – High Risk

P4 data is highly sensitive and requires the highest level of security due to legal, privacy, or financial risks. Examples include:

  • Student Affairs: Disability accommodations, academic misconduct records, financial aid details.

  • Managers & HR Staff: Social Security Numbers, background check results, medical leave details.

  • Finance Managers: Banking details, payroll records, tax forms (W-2, 1099).

  • Faculty & Staff Emails: Emails containing SSNs, medical information, or disciplinary actions.

  • Health & Privacy Data: Any records containing HIPAA-protected health information (PHI) or FERPA-protected student data.

3. What to Do If You Handle P3 or P4 Data

  • Store securely in UC-approved services (Google Drive, Box, Bren Staff Department Share).

  • Avoid emailing sensitive data unless encrypted.

  • Limit access to those who need it (role-based access).

  • Regularly review and audit permissions.

  • Report data breaches to IT security immediately.

For further assistance, contact the Unit Information Security Lead (UISL) at itcontact@bren.ucsb.edu

 

Powered by Zendesk