Highly senstive data (HSD), as defined in the UVA Policy IRM-003: Data Protection of University Information, are: data that require restrictions on access under the law or that may be protected from release in accordance with applicable law or regulation, such as Virginia Code § 18.2-186.6. Breach of Personal Information Notification. Highly Sensitive data (HSD) currently include personal information that can lead to identity theft. HSD also includes health information that reveals an individual’s health condition and/or medical history.
Specific examples include, but are not limited to:
- Any store or file of passwords or user-ids and passwords on any multi-user system or computer.
- Personal information that, if exposed, can lead to identity theft. This may include a personal identifier (e.g., name, date of birth) as well as one of the following elements:
- Social security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number;
- Passport number;
- Financial account number in combination with any required security code, access code, or password that would permit access to a financial account;
- Credit card or debit card number, including any cardholder data in any form on a payment card: or
- Military Identification Number.
Also considered HSD are any form of personally identifying information in combination with social security number (SSN), driver’s license number, passport number, financial account number and required security code, and/or military ID number. For example, computing ID and driver’s license number, or home address and SSN.
Note that credit card numbers can never be stored either alone or in combination with any other identifiers.
- Health information is any information that, if exposed, can reveal an individual’s health condition and/or history of health services use, including information defined by Health Insurance Portability and Accountability Act (HIPAA) as protected health information (PHI).
- Cardholder Data (CHD): Primary cardholder account number that identifies the issuer and a particular cardholder account, which can include cardholder name, expiration date and/or service code.