Search Information Security site

 

Main menu

Faxes and Highly Sensitive Data (HSD)

As we adjust to the reality of COVID-19 impact, many of our business units have started reviewing their continuity of operations plans (COOP).  As a result, our office has been contacted multiple times by units who are sending or receiving faxes containing highly sensitive data and are looking for way to do this function from a remote (i.e. off-Grounds) location. 
 
Below is information to help answer some of the questions we have recently received.  Should you have specific questions, comments, or concerns, please contact the Information Security IT Compliance team at [email protected] 

Q:  Are there technologies in place at the University that I can use instead of the fax machine?

A:  Units may send and receive (even from external, non-UVA recipients) HSD documents using the UVA-licensed and approved version of DocuSign. Contact [email protected] for accounts and instruction. Be sure to avoid downloading any highly sensitive documents received via DocuSign, as saving HSD locally is not permitted.

Q: Can I just ask the recipient to email the information to me?

A:  No.  University Policy (https://security.virginia.edu/university-data-protection-standards) states that Highly Sensitive Data (HSD) is not permitted to be transmitted via non-secured methods.  Email travels across multiple networks in a non-encrypted form.  Therefore, email cannot be used to securely transfer the data.  

Q:  Can I have our fax machine automatically forward faxes to an email address?

A:  No.  If a fax is being sent via email, the data could easily be exposed as it travels between networks and mail servers.  This does not meet the University Policy on data protection.

Q:  Can't we just buy one of the commercial faxing services that send the fax to us in email?

A:  No.  If a fax is being sent via email, the data could easily be exposed as it travels between networks and mail servers.  This does not meet the University Policy on data protection.

Q:  If I need to run the faxing service, do you have any suggestions if my group is working remotely?

A:  Assuming that the fax machine is in a secure location, business units could nominate an individual or individual(s) to retrieve faxes and secure them.

Q:  What if I get unsolicited, yet important, faxes?

A:  Information Security recommends turning off fax machines to prevent the arrival of unsolicited faxes containing HSD.  If the sender cannot get the fax to transmit, they will reach out and contact someone.

Q:  Can I forward our fax number to another fax number?

A:  If the other fax can accept faxes in a secure manner, where the data is protected from accidental exposure, then this may be an acceptable solution.  However, please contact the Information Security IT Compliance team at [email protected] before going this route so we can discuss further.

 

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form