Table of Contents
1. Purpose and Background
a) Annual Approval
b) Finding and Removing Highly Sensitive Data
c) Required Safeguards for Storage of HSD on Individual-Use Electronic Devices or Media
4. Related Links
1. Purpose and Background
The background for these procedures can be found on the Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media webpage and the associated Data Protection of University Information (IRM-003) policy.
Approval for the storage of HSD on an individual-use electronic device or on media is required annually and will be considered only when no feasible alternatives exist. Additionally, before anyone can store highly sensitive data (HSD) on any individual-use electronic device or media s/he must get approval for such storage, annually, by submitting the Highly Sensitive Data (HSD) Storage Request form. Anyone completing a HSD Storage Request form is encouraged to consult the University Information Security’s Policy and Compliance group for additional information regarding the process before submitting the form for approval.
The person requesting the storage on an individual-use electronic device or media must state the essential business need that requires storage on an individual-use electronic device or media, list the alternatives considered, and explain why each is unsuitable. If the storage of HSD being requested will involve outsourced management of an individual-use device, this intention must be stated on the HSD Storage Request form, along with vendor contact information and rationale for outsourcing.
The HSD Storage Request form requires three levels of approval.
- Once completed, the HSD Storage Request form must be reviewed and approved by the University Information Security office. If approval is granted, the form is returned to requestor who must then submit it for approval to the requestor’s department head/chair. Note: If the requestor does not have a signed Electronic Access Agreement on file or proof of completion of the responsible computing tutorial, the request will not be considered.
- If the department head/chair supports the request, the form must then be submitted for next level approval to the appropriate vice president or dean, or similar-level University official or designee responsible for the department with which the individual is primarily affiliated.
- If the vice president or dean (or similar-level University official or designee responsible for the department with which the individual is primarily affiliated) approves the Highly Sensitive Data Storage Request form, then this signed form must be kept by the requesting individual in a secure location for subsequent audit purposes.
Individuals who request approval to store HSD must take steps to protect those data while they await approval and MUST NOT store such data on any individual-use electronic device or media until approval is granted.
In order to determine whether HSD is stored on a device, all non-student users must scan for HSD at least quarterly on all individual use devices and electronic media under their use or control by using the University provided software. Once installed, the software will scan most computer files and list those that appear to include social security numbers, credit card numbers, or, optionally, medical record numbers. The software presents the user with options for handling the files. If no HSD is found following a completed scan, no further action is required.
Note: Although the software is designed to only locate HSD, some scan results may include false positives that are not actually sensitive. Users may find it easiest to remove such non-sensitive data as they would true HSD rather than continue to encounter it during subsequent scans.
Destruction of Official University Records
If destroying data that (1) is the official record for the University, (2) does not exist elsewhere, or (3) may or may not have met the required retention, please comply with the University Records Management Policy by completing of a Certificate of Records Destruction (RM3) form or contacting the Records Management Office for guidance.
Required Safeguards for Storage of HSD on Individual-Use Electronic Devices or Media
a. Highly sensitive data must be securely encrypted on the electronic device or media, according to encryption methods recommended by the University Information Security office or, for Health Systems users, the Health Information and Technology Security office.
b. A log-in password must be enabled if available for the individual use electronic device or media. The password must meet or exceed appropriate complexity levels detailed at: http://www.its.virginia.edu/accounts/passwords.html. The password must not be shared with anyone, except where data are being transferred to someone else via electronic media utilizing shared password security.
c. A password-protected screen saver, if available, must be enabled on the individual use electronic device and set to activate after a maximum of ten minutes of user inactivity. The password must meet or exceed appropriate complexity levels detailed at: http://www.its.virginia.edu/accounts/passwords.html. The password must not be shared with anyone, except where data are being transferred to another authorized individual via electronic media utilizing shared password security.
e. HSD data that is no longer required must be securely removed immediately from the individual-use electronic device or media using secure methods according to the Electronic Data Removal Procedures.
As noted earlier, it is the responsibility of individuals to determine if they have highly sensitive data on their individual-use device(s) and media and, if so, to ensure compliance with the Data Protection of University Information (IRM-003) and its standards and procedures.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media
- University Data Protection Standards
- Record Management Policy
- Responsible Computing Handbook
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.