Search Information Security site

 

Main menu

Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media

Table of Contents

1.  Purpose and Background
2.  Standards
     a) User’s Responsibilities 
     b) Required Approval for Storage of HSD on any individual-use electronic device or media
     c) Required Reporting of the Loss of Highly Sensitive Data (HSD)
     d) Secure Deletion of Files
3.  Definitions
4.  Related Links
5.  Exceptions

Revision History: June 2, 2021, November 24, 2020November 23, 2020 

[Return to Library]

1. Purpose and Background

The University of Virginia Data Protection of University Information (IRM-003) policy requires that all those who access, collect, display, generate, process, store or transmit highly sensitive data (HSD) follow UVA policies, standards, and procedures, as well as federal and state laws and regulations, and contractual obligations, to ensure the highest level of security and confidentiality is applied to HSD. 

The risk of unauthorized disclosure of HSD is very high when such data are stored on individual-use electronic devices and/or individual-use electronic media, since these items are easily stolen. The University, therefore, strictly limits the circumstances under which HSD may be stored on these electronic devices and media

This standard details the requirements when highly sensitive data must unavoidably be stored on individual-use electronic devices and/or individual-use electronic media regardless of whether these are owned by the University or the individual. 

This standard applies to the Academic Division, the College at Wise, University-Associated Organizations, and Health System users who want to store or collect HSD on an individual-use device that has not already been approved for storage of HSD by the Health Information and Technology Service Request form in compliance with Policy IT-001: Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources. This standard does not replace any other policies, legal requirements, or contractual obligations.

[Table of Contents]

2. Standards

User’s Responsibilities

It is the responsibility of all users to determine if they have:

If either or both of these conditions are true, users must also comply with all applicable policies, standards, procedures, laws,  regulations, and contractual obligations. 

Required Approval for Storage of HSD on any individual-use electronic device or media

If approval is not granted to store HSD on an individual-use electronic device or media, there are centrally provided and managed resources for the storage of HSD. Contact your Local Support Partner (LSP) or the UVA Help Desk at 434-924-4357 or [email protected] for assistance identifying the appropriate place to store the HSD.

If approval is granted to store HSD on an individual-use electronic device or media, then all controls specified in the approval must be followed to safeguard the highly sensitive data stored on the electronic device or media.

Required Reporting of the Loss of Highly Sensitive Data (HSD)

Secure Deletion of Files

Any data, file, or information, including highly sensitive data (HSD), that is no longer needed must be securely removed from the device or media using secure methods according to the Electronic Data Removal Procedures

If destroying data that

  1. is the official record for the University, or
  2. does not exist elsewhere, or
  3. may or may not have met the required retention requirements,

users must comply with the University Records Management Policy by completing of a Certificate of Records Destruction (RM3) form. 
Contact the Records Management Office for guidance.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Return to Table of Contents]

5. Exceptions

If you cannot meet this standard’s requirements, you must use the exception request process.

[Table of Contents]

APPROVER: Chief Information Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form