Data Classification
- Michael Nesbit (Unlicensed)
- Adam Sottosanti (Deactivated)
- Diana Antova
Overview: Each data set published to Power BI will be labeled with a Protection Level based on the following Guidelines. Data Set Documentation can be found here: Google Drive
Relevant Documents:
UC Protection Level Guide: UC Protection Level Classification Guide
Summary of Classification Levels
P1: Public - information for public distribution.
Risk from exposure: None
Access: Not restricted
Examples of P1 data:
INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
Public-facing websites | Intended for public use |
Public event calendars | Intended for public use |
Press releases | Intended for public use |
Hours of operation | Intended for public use |
Parking regulations | Intended for public use |
Course catalogs | Intended for public use |
Published research | Intended for public use |
P2: Internal - Unauthorized release of this data may have a limited effect on UCSB’s operations, assets or individuals.
Risk from exposure: Low
Access: Restricted to UCSB faculty, staff and students. User ID and password required.
Examples of P2 data:
Note: Student directory data is classified at P2, if the student has not requested a FERPA block. For details look at the table below.
INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
Routine business records and e-mail | Operational integrity |
Calendar information | Operational integrity |
Meeting notes | Operational integrity |
Research using publicly available data | Operational integrity |
UC directory (faculty, staff and students who have not requested a FERPA block) | Operational integrity |
De-identified patient information (negligible re-identification risk) | Academic integrity |
Unpublished research work and intellectual property not in Level 3 or 4 | Academic integrity |
Patent applications and work papers, drafts of research papers | Academic integrity Operational integrity |
Building plans and information about the university physical plant | Operational integrity Protective information |
P3: Sensitive - Unauthorized release of this data may have a negative effect on UCSB’s operations, assets or individuals.
Risk from exposure: Medium
Access: Restricted to people with a business need to know. MFA required.
Examples of P3 data:
Note: Student and employee data is classified at P3 level. For details look at the table below.
INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
Attorney-Client Privileged Information | Legal protection |
Student education records | FERPA |
Student special services records | FERPA, Privacy |
Security camera recordings | Protective information |
Building entry records from automated key card system | Protective information |
IT security information and system security plans | Protective information |
Exams (questions and answers) | Academic integrity |
Animal research protocols | Academic integrity |
Export Controlled Research (ITAR, EAR) | Regulation |
UC personnel records | Privacy |
Research information classified as Level 3 by an Internal Research Board (IRB) (if done by the IRB) | Academic integrity |
Federal Data (Pre CUI) | FISMA |
P4: Restricted - Unauthorized release of this data may have a serious effect on UCSB individuals.
Risk from exposure: High
Access: Restricted to people entitled to know. MFA required.
Examples:
Note: Student eligibility/awarding of certain financial aid (PELL grants, CAL grants, etc.) is classified at P4 level. Student health data (HIPAA) is also classified at P4. For additional details look at the table below. At this time we are choosing to not publish some of the more restricted data from the table below, such as credit card information, social security numbers, and medical information for students. Please see the Prohibited category below.
INSTITUTIONAL INFORMATION TYPE | JUSTIFICATION |
Controlled Unclassified Information (CUI) | Government contract |
Credit card cardholder information | PCI |
Financial, accounting, payroll information | Integrity |
Financial aid information, student loans | GLBA |
Personally Identifiable Information (PII) | PII, regulatory |
Protected Health Information (PHI) / patient records | HIPAA |
Social Security Numbers | PII, GLBA, Civil Code |
Sensitive Identifiable Human Subject Research | Privacy |
Research information classified as Level 4 by an IRB or otherwise required to be stored or processed in a high security environment | Academic integrity |
Individually identifiable genetic information (human subject identifiable) | Privacy |
Human subject research data with individual identifiers, particularly those identified in CA law | Privacy, regulatory |
Passwords, PINs and passphrases that can be used to access P2 to P4 information or manage IT Resources. | Operational integrity |
Information with contractual requirements for P4-level protection | Contract |
Prohibited– Unauthorized release of this data may have a severe or catastrophic effect on UCSB’s operations, assets or individuals.
**This data is not allowed to be used in the Power BI Service.
Risk from exposure: High
Access: Tightly controlled. MFA required.
Examples:
Social Security Numbers
Credit Card numbers
Drivers License numbers
Bank Account numbers
Biometric data
Credentials for university systems (accounts/passwords)