Search Information Security site


Electronic Storage of Highly Sensitive Data FAQs

Who is responsible for removing the highly sensitive data from my drive?

Unless you have received explicit notice from your department or school outlining a different process, you are responsible for completing the steps outlined in the guidance document The Medical Center and the Darden School, for example, are handling certain of these steps centrally for devices that they manage, though you may still be responsible for personally-owned or personally-managed devices. If you are unsure about what you are responsible for, please check with your department.

What is "highly sensitive data" in the context of the policy?

For purposes of this policy, highly sensitive data currently include personal information that can lead to identity theft if exposed (e.g., Social Security numbers, passport numbers, driver's license numbers, financial account numbers) and health information that reveals an individual’s health condition and/or history of health services use (e.g., personally identifiable medical records). While other types of sensitive data, such as student names in combination with course grades obviously exist, the negative impact of unauthorized exposure of data specifically covered by this policy is especially acute. For additional details, see the full definition from the policy.

What about paper documents containing highly sensitive date?

This policy does not apply to non-electronic records. However, please note that these data do require protection under the University's Protection and Use of Social Security Numbers Policy (see also the SSN Initiative page) and the University's HIPAA compliance efforts.

I am not sure if certain files need to be retained. Whom do I talk to?

The best source of information is the data or process owner, who should be able to tell you whether or not the information is subject to the University and State's retention requirements; see the University's policy on Records Retention for related requirements and procedures. In general, copies may be disposed of or redacted as long as the official record is retained as required by law.

I have some personal files on on my hard drive that contain sensitive information about me. Do I need to securely delete them as well?

Although the policy only applies to data collected on behalf of the University, it would be smart to protect yourself by removing any highly sensitive data referring to yourself from your device. The University is not responsible if your own personal information is exposed as the result of your failure to protect it.

What about existing contracts with third-parties?

Approval is not required for contracts existing at the effective date of the policy. Any contract subsequent to the policy effective dates requires written approval from the appropriate vice president or dean.

Contact Office

Questions regarding specific devices and process within your department, contact your IT support personnel.

For questions regarding the Identity Finder software, see UVa's Identity Finder page.

Questions regarding this policy should be directed to

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form