Table of Contents
1. Purpose and Background
2. Standards
a) Protecting Highly Sensitive Data
b) Required Reporting of the Loss of Highly Sensitive Data (HSD)
3. Definitions
4. Related Links
5. Exceptions
REVISION HISTORY: New 12/2/2022
1. Purpose and Background
The University of Virginia Data Protection of University Information (IRM-003) policy requires that all those who access, collect, display, generate, process, store, or transmit highly sensitive data (HSD) follow UVA policies, standards, and procedures as well as federal and state laws and regulations, and contractual obligations to ensure the highest level of security and confidentiality is applied to HSD.
This standard and its associated procedure detail the requirements that must be met to safeguard HSD while engaging in any processes involving these data.This standard applies to all departments and users who access, collect, display, generate, process, store, or transmit highly sensitive data (HSD) on behalf of the University, including the Academic Division, Medical Center, College at Wise, and University-Associated Organizations.
2. Standards
Protecting Highly Sensitive Data
The University of Virginia accesses, collects, displays, generates, processes, stores, and transmits highly sensitive data while conducting approved University business and research, and as required by law. The University classifies several types of information as highly sensitive data and specifies how these data must be protected.
In accordance with the University of Virginia IRM-003: Protection of University Information policy:
- Access, collection, display, generation, processing, storage, and transmission of HSD will only be allowed when essential and approved for business processes or to fulfill required legal or tax obligations.
- Access to, and/or viewing of, Social Security Numbers (SSNs) or other HSD in any form (electronic and non-electronic) must be granted to the fewest number of people possible and only when essential for an approved business or research purpose.
- Data stewards are appointed to grant access to HSD.
- Approval from University Information Security must be obtained before storing HSD on an individual-use electronic device, removable media, or third party service or vendor.
- Managers and chairs within University departments or units are required to maintain an accurate inventory of HSD repositories within their unit or department, as outlined in the University Data Protection Standards.
- All HSD, regardless of how it is stored, must be securely destroyed following the period of business use or relevant retention period in accordance with University policies IRM-003: Data Protection of University Information, IRM-017: Records Management, and the Electronic Data Removal Procedure.
- Individual users must know if they have:
- highly sensitive data (HSD) on their electronic device(s) or media (regardless of whether the device(s) or media are owned by the University or the individual) and/or,
- access to highly sensitive data on other systems.
In accordance with University of Virginia IRM-003: Data Protection of University Information policy, the University agrees to the following:
- The University will NOT print HSD on identification cards or badges or include HSD in magnetic strips or bar codes;
- The University will NOT use HSD as account numbers or identifiers for individuals in new electronic or non-electronic records or record systems unless needed for an approved purpose or required by law.
- The University agrees to inform individuals who are asked to supply Social Security Numbers (SSNs) whether the SSN is legally required or if they may refuse. They will also be informed of any specific consequences of providing or not providing this information.
Required Reporting of the Loss of Highly Sensitive Data (HSD)
- The loss, theft, or unauthorized disclosure of highly sensitive data s a security incident that must be reported within one (1) hour from the time the incident is identified. Report the incident at the "Reporting a Security Incident” webpage (preferred) or by telephoning (434) 924-4165.
- If an individual-use electronic device or media is lost or stolen, the loss or theft must be reported to the police in the location where the theft or loss occurred as well as to University Information Security at "Reporting a Security Incident” (preferred) or by telephoning (434) 924-4165.
3. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- Electronic Data Removal Procedure
- Electronic Data Removal Standard
- Highly Sensitive Data Standard for Individual-Use Electronic Devices or Media
- Protection of Highly Sensitive Data Procedure
- Records Retention and Disposal Policy (IRM-017)
- Remediation of HSD in Office 365 Procedure
- University Data Protection Standards
- Vendor Security Review Standard
5. Exceptions
If you cannot meet this standard’s requirements, you must use the policy exception request process.