P2/P3 Data Classification Task Force

 

The P2/P3 Data Classification Task Force is working to improve the usability of the standard and update it to align with current institutional operations, policies, and applicable state and federal laws—while continuing to support UCSF Health’s core mission of caring, healing, teaching, and discovering.

UCSF’s Data Classification Standard serves as a location-specific interpretation of UC system-wide policy. It supersedes many of the requirements of the UC Institutional Information and IT Resource Classification Standard, although the system-wide standard may be referenced for guidance on the classification of data types not documented within this location-specific model.  

Contact EIA Data Compliance Team with any questions about the project or the standard.
 

Current policy up for revision

 

Workgroup Activities 2026

Recommendations 

P2/P3 Data Classification Task Force Recommendations for Enhancing Research Data Compliance through User-Centered Support

Develop clear, user-centered guidance for data classification decisions

Create practical documentation (e.g., decision trees, flowcharts, and concise examples) to help users consistently classify data across common use cases. Current ambiguity in classification criteria leads to inconsistent handling of sensitive data and increases institutional risk. Standardized, easy-to-navigate guidance will improve compliance, reduce user burden, and promote more uniform decision-making.

  • Future enhancement: Explore AI-assisted tools to support (not replace) data classification workflows. Such tools could suggest preliminary classifications based on dataset characteristics but should be positioned strictly as decision support.

Establish guidance for selecting appropriate data repositories based on classification level

Develop targeted guidance to help researchers determine when to use open versus controlled-access repositories for P2–P4 data. This should include key decision factors and align with institutional and sponsor expectations. Clear recommendations will reduce uncertainty and help ensure appropriate data stewardship while enabling responsible data sharing.

Enhance Data De-Identification Support for researchers

Given limited staffing, prioritize scalable support for quantitative and qualitative data de-identification by developing clear, standardized guidance and self-service resources for researchers, including practical methods for evaluating and mitigating re-identification risk.

Curate and adapt existing best practices from peer institutions and widely used research tools to provide applied methods for both quantitative and qualitative data.

Improve visibility into research computing resources and compliance

Expand the web-based inventory to show which security/compliance standards (e.g., NIST) each system meets. Add clear groupings for P1 and P2 data to help researchers quickly identify suitable, compliant platforms and reduce misalignment.

Collaborate with the ITOM Project Team to explore documenting the data classification level for all IT systems in a central location, such as the CMDB or IT Service Catalog.

Ongoing Guidance Development 

  1. Data Classification for Genomics data: DRAFT
  2. Data Classification Flow Chart: DRAFT


Stakeholders

Enterprise Information and Analytics (EIA) Department 
EIA Data Compliance 
Academic Research Services
Clinical and Translational Science Institute (CTSI)
Data Security Compliance
Export Control
Human Research Protection Program (HRPP)

Industry Contracts Division (ICD)
IT Governance 
Library
Privacy Office
Security and Policy
UCSF Research community representatives

Additional References 

 

 

 

 

 

CONFIDENTIALITY, INTEGRITY, AVAILABILITY