Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media

Date: 6/2/2021                           
Last Revised: 6/2/2021                           
Governing Policy: Data Protection of University Information (IRM-003)                   
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Associated Organizations. 

Table of Contents

1. Purpose and Background 
2. Standards 
a) User’s Responsibilities  
b) Required Approval for Storage of HSD on any individual-use electronic device or media 
c) Required Reporting of the Loss of Highly Sensitive Data (HSD) 
d) Secure Deletion of Files 
3. Definitions 
4. Related Links 
5. Exceptions

[Return to Library]

 

1. Purpose and Background

The University of Virginia Data Protection of University Information (IRM-003) policy requires that all those who access, collect, display, generate, process, store or transmit highly sensitive data (HSD) follow UVA policies, standards, and procedures, as well as federal and state laws and regulations, and contractual obligations, to ensure the highest level of security and confidentiality is applied to HSD.

The risk of unauthorized disclosure of HSD is very high when such data are stored on individual-use electronic devices and/or individual-use electronic media, since these items are easily stolen. The University, therefore, strictly limits the circumstances under which HSD may be stored on these electronic devices and media.

This standard details the requirements when highly sensitive data must unavoidably be stored on individual-use electronic devices and/or individual-use electronic media regardless of whether these are owned by the University or the individual.

This standard applies to the Academic Division, the College at Wise, University-Associated Organizations, and Health System users who want to store or collect HSD on an individual-use device that has not already been approved for storage of HSD by the Health Information and Technology Service Request form in compliance with Policy IT-001: Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources. This standard does not replace any other policies, legal requirements, or contractual obligations.

[Table of Contents]

 

2. Standards

 

User’s Responsibilities

It is the responsibility of all users to determine if they have:

If either or both of these conditions are true, users must also comply with all applicable policies, standards, procedures, laws, regulations, and contractual obligations.

 

Required Approval for Storage of HSD on any individual-use electronic device or media

If approval is not granted to store HSD on an individual-use electronic device or media, there are centrally provided and managed resources for the storage of HSD. Contact your Local Support Partner (LSP) or the UVA Help Desk at 434-924-4357 or [email protected]  for assistance identifying the appropriate place to store the HSD.

If approval is granted to store HSD on an individual-use electronic device or media, then all controls specified in the approval must be followed to safeguard the highly sensitive data stored on the electronic device or media.

 

Required Reporting of the Loss of Highly Sensitive Data (HSD)

 

Secure Deletion of Files

Any data, file, or information, including highly sensitive data (HSD), that is no longer needed must be securely removed from the device or media using secure methods according to the Electronic Data Removal Procedures.

If destroying data that

  1. is the official record for the University, or
  2. does not exist elsewhere, or
  3. may or may not have met the required retention requirements,

users must comply with the University Records Management Policy by completing of a Certificate of Records Destruction (RM3) form.  
Contact the Records Management Office for guidance.

[Table of Contents]

 

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

 

4. Related Links

[Return to Table of Contents]

 

5. Exceptions

If you cannot meet this standard’s requirements, you must use the exception request process.

[Table of Contents]

Approved by, Date: Chief Information Officer, June 2, 2021     
Next Scheduled Review: 6/24/2024     
Revision History:  June 2, 2021, November 24, 2020, November 23, 2020