Search Information Security site

 

Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Requirements for Storage of Highly Sensitive Data on Individual-Use Electronic Devices or Media
     b) Finding and Removing Highly Sensitive Data (HSD)
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

The University of Virginia is strongly committed to maintaining the privacy and security of confidential personal information and other highly sensitive data it collects. It expects all those who store such information to treat these data with the utmost care. There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected.  The risk of unauthorized disclosure of HSD is very high when such data are stored on individual-use electronic devices and media, since these items are easily stolen. The University, therefore, strictly limits the circumstances under which HSD may be stored on these devices and media. It further mandates that all of the requirements that follow be met when highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media.

Additionally, any outsourcing of any collection, storage, transmission, or deletion of HSD on behalf of the University must be approved by the University Information Security office, appropriate data steward, appropriate department chair, and relevant vice president, dean, or similar-level University official or designee responsible for the department with which the individual or group of individuals is primarily affiliated.

The purpose of this standard is to highlight specific requirements that must be met by all who collect, store, transmit, or display highly sensitive data (HSD) on individual-use electronic devices or electronic media, regardless of whether those are owned by the University or the individual. These procedures do not supplant any other policies, legal requirements, or contractual obligations.

This standard, and its associated policy and procedure, applies to all users who electronically store, collect, transmit or display highly sensitive data (HSD) on behalf of the University, including the Academic Division, Medical Center, College at Wise, and University-related Foundations.

It is the responsibility of all non-student users to determine if they have highly sensitive data on their electronic device(s) and media and, if so, to ensure that the collection, storage, transmission, display, and deletion of any highly sensitive data is compliant with this standard, and its associated policy, IRM-003: Data Protection of University Information, and procedures for Individual-Use Electronic Devices or Media.

[Table of Contents]

2. Standards

Requirements for Storage of Highly Sensitive Data on Individual-Use Electronic Devices or Media

Storing HSD on an individual-use electronic device or media may be considered only when no feasible alternatives exist.  Additionally, before anyone can store highly sensitive data (HSD) on any individual-use electronic device or media s/he must get approval for such storage by submitting the Highly Sensitive Data (HSD) Storage Request form as detailed in the HSD Protection Procedures.  Anyone completing an HSD Storage Request form is encouraged to consult the University Information Security office’s Data Protection area before submitting the form for approval.

Individuals who request approval to store HSD must take steps to protect those data while they await approval and MUST NOT store such data on any individual-use electronic device or media until approval is granted.  The person requesting the storage on an individual‑use electronic device or media must state the essential business need that requires storage on an individual-use electronic device or media, list the alternatives considered, and explain why each is unsuitable.   Additional steps are detailed in the Highly Sensitive Data Protection Procedures for Individual-Use Electronic Devices and Media.   The HSD Storage Request form must be approved by the following entities in the following order:

  1. the University Information Security office,
  2. then the individual’s department head or chair, and
  3. the appropriate vice president or dean, or similar-level University official or designee responsible for the department with which the individual is primarily affiliated.

If management of the individual‑use electronic device or media is to be outsourced to any party external to the University then such outsourcing must be described on the HSD Storage Request form and approved by the three entities listed above.

Users who receive approval to store HSD on an individual‑use electronic media or device must take steps to protect those data in accordance with the Highly Sensitive Data Protection Procedures for Individual-Use Electronic Devices and Media.

As noted earlier, it is the responsibility of individuals to determine if they have highly sensitive data device(s) and media they access or use and, if so, to ensure compliance with the Data Protection of University Information policy (IRM-003) and its standards and procedures.

Finding and Removing Highly Sensitive Data (HSD)

In order to determine whether HSD is stored on a device, all non-student users must scan for HSD at least quarterly on all individual‑use electronic devices and media under their use or control by using the University‑provided softwareIf no HSD are found, no further action is required.  See the HSD Protection Procedures for details regarding scanning for HSD.

If highly sensitive data are found, individuals must either securely delete it, or securely move it to an approved and appropriate secure server.

If an individual-use electronic device or media containing highly sensitive data is lost or stolen, you must immediately 1) report it to the police (911 from on Grounds), and 2) follow the directions at "Reporting a Security Incident."

[Table of Contents]

3. Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4. Related Links

[Return to Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form