Table of Contents
1. Purpose and Background
a) User’s Responsibilities
b) Required Approval for Storage of HSD on any individual-use electronic device or media
c) Required Reporting of the Loss of Highly Sensitive Data (HSD)
d) Secure Deletion of Files
4. Related Links
1. Purpose and Background
The University of Virginia Data Protection of University Information (IRM-003) policy requires that all those who access, collect, display, generate, process, store or transmit highly sensitive data (HSD) follow UVA policies, standards, and procedures, as well as federal and state laws and regulations, and contractual obligations, to ensure the highest level of security and confidentiality is applied to HSD.
The risk of unauthorized disclosure of HSD is very high when such data are stored on individual-use electronic devices and/or individual-use electronic media, since these items are easily stolen. The University, therefore, strictly limits the circumstances under which HSD may be stored on these electronic devices and media.
This standard details the requirements when highly sensitive data must unavoidably be stored on individual-use electronic devices and/or individual-use electronic media regardless of whether these are owned by the University or the individual.
This standard applies to the Academic Division, the College at Wise, University-Associated Organizations, and Health System users who want to store or collect HSD on an individual-use device that has not already been approved for storage of HSD by the Health Information and Technology Service Request form in compliance with Policy IT-001: Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources. This standard does not replace any other policies, legal requirements, or contractual obligations.
It is the responsibility of all users to determine if they have:
- highly sensitive data on their electronic device(s) or media (regardless of whether the device(s) or media are owned by the University or the individual) and/or,
- access to highly sensitive data (usually by using the High Security VPN).
If either or both of these conditions are true, users must also comply with all applicable policies, standards, procedures, laws, regulations, and contractual obligations.
- Before storing highly sensitive data (HSD) on any individual-use electronic device or media, approval for such storage must be obtained by submitting an exception request.
- Requests should only be made when no feasible alternatives exist.
- The exception process replaces the HSD Storage Request form that was previously required.
- HSD MUST NOT be stored on any individual-use electronic device or media until approval is granted.
If approval is not granted to store HSD on an individual-use electronic device or media, there are centrally provided and managed resources for the storage of HSD. Contact your Local Support Partner (LSP) or the UVA Help Desk at 434-924-4357 or [email protected] for assistance identifying the appropriate place to store the HSD.
If approval is granted to store HSD on an individual-use electronic device or media, then all controls specified in the approval must be followed to safeguard the highly sensitive data stored on the electronic device or media.
Required Reporting of the Loss of Highly Sensitive Data (HSD)
The loss, theft, or unauthorized disclosure of highly sensitive data is a security incident that must be reported within one (1) hour from the time the incident is identified. Report the incident at the Reporting a Security Incident website (preferred) or by telephoning (434) 924-4165.
If an individual-use electronic device or media is lost or stolen, it must be reported to the police in the location where the theft or loss occurred as well as to University Information Security at Reporting a Security Incident (preferred) or by telephoning (434) 924-4165.
Secure Deletion of Files
Any data, file, or information, including highly sensitive data (HSD), that is no longer needed must be securely removed from the device or media using secure methods according to the Electronic Data Removal Procedures.
If destroying data that
- is the official record for the University, or
- does not exist elsewhere, or
- may or may not have met the required retention requirements,
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- Electronic Data Removal Standard
- Electronic Data Removal Procedure
- Protection of Highly Sensitive Data Standard
- Protection of Highly Sensitive Data Procedure
- Record Management Policy
- Cybersecurity Awareness for Faculty and Staff
- Security of Network Connected Devices
- University Data Protection Standards
- University Use of Highly Sensitive Data Standard
- Health Information and Technology Service Request form
- Policy IT-001: Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources
If you cannot meet this standard’s requirements, you must use the exception request process.