A knowledge base article about Clarifying UID Data Classification (P2 vs. P3) provided by the UC Berkeley IT Service Hub - Knowledge Portal
The UID has traditionally been a default field in the Campus Directory. It is an immutable, sequentially assigned key used by systems to identify a person and is not considered Personally Identifiable Information (PII).
- A UID should not be used on its own to access or request access to services (unlike a Student ID, which can be used for password resets).
- UIDs are not used for authentication or identity verification.
- While the UID is often the primary identifier in identity tokens returned to an application after an interactive CalNet login, it is not the mechanism granting the access.
Data Classification Distinction (P2 vs. P3)
We want to ensure we are accurately communicating the boundary between P2 and P3 classification to users who may push back:
- The UID is a P2 data element. Its presence or inclusion in a data set does not automatically bump the system's classification up to P3. Associating UIDs with records for legitimate business purposes falls under acceptable business use.
- Using the UID as a method to access systems is an unapproved use and would bump the system classification to P3.