Highly Sensitive Data Protection Standard for Individual-Use Electronic Devices or Media
Table of Contents
1. Purpose and Background
2. Standards
a) User’s Responsibilities
b) Required Approval for Storage of HSD on any individual-use electronic device or media
c) Required Reporting of the Loss of Highly Sensitive Data (HSD)
d) Secure Deletion of Files
3. Definitions
4. Related Links
5. Exceptions
Revision History: June 2, 2021 [1], November 24, 2020 [2], November 23, 2020 [3]
1. Purpose and Background
The University of Virginia Data Protection of University Information (IRM-003) [5] policy requires that all those who access, collect, display, generate, process, store or transmit highly sensitive data [6] (HSD) follow UVA policies, standards, and procedures, as well as federal and state laws and regulations, and contractual obligations, to ensure the highest level of security and confidentiality is applied to HSD.
The risk of unauthorized disclosure [7] of HSD [6] is very high when such data are stored on individual-use electronic devices [8] and/or individual-use electronic media [9], since these items are easily stolen. The University, therefore, strictly limits the circumstances under which HSD [6] may be stored on these electronic devices [10] and media [11].
This standard details the requirements when highly sensitive data [6] must unavoidably be stored on individual-use electronic devices [8] and/or individual-use electronic media [9] regardless of whether these are owned by the University or the individual.
This standard applies to the Academic Division, the College at Wise, University-Associated Organizations, and Health System users who want to store or collect HSD on an individual-use device that has not already been approved for storage of HSD by the Health Information and Technology Service Request form [12] in compliance with Policy IT-001: Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources [13]. This standard does not replace any other policies, legal requirements, or contractual obligations.
2. Standards
User’s Responsibilities
It is the responsibility of all users [14] to determine if they have:
- highly sensitive data [6] on their electronic device(s) [10] or media [11] (regardless of whether the device(s) or media are owned by the University or the individual) and/or,
- access to highly sensitive data [6] (usually by using the High Security VPN [15]).
If either or both of these conditions are true, users must also comply with all applicable policies, standards, procedures, laws, regulations, and contractual obligations.
Required Approval for Storage of HSD on any individual-use electronic device [8] or media [9]
- Before storing highly sensitive data [6] (HSD) on any individual-use electronic device [8] or media [9], approval for such storage must be obtained by submitting an exception request [16].
- Requests should only be made when no feasible alternatives exist.
- The exception process [16] replaces the HSD Storage Request form that was previously required.
- HSD MUST NOT be stored on any individual-use electronic device [8] or media [9] until approval is granted.
If approval is not granted to store HSD [6] on an individual-use electronic device [8] or media [9], there are centrally provided and managed resources for the storage of HSD. Contact your Local Support Partner (LSP) or the UVA Help Desk [17] at 434-924-4357 or [email protected] [18] for assistance identifying the appropriate place to store the HSD.
If approval is granted to store HSD [6] on an individual-use electronic device [8] or media [9], then all controls specified in the approval must be followed to safeguard the highly sensitive data [6] stored on the electronic device [8] or media [9].
Required Reporting of the Loss of Highly Sensitive Data (HSD)
-
The loss, theft, or unauthorized disclosure [7] of highly sensitive data is a security incident that must be reported within one (1) hour from the time the incident is identified. Report the incident at the Reporting a Security Incident [19] website (preferred) or by telephoning (434) 924-4165.
-
If an individual-use electronic device [8] or media [9] is lost or stolen, it must be reported to the police in the location where the theft or loss occurred as well as to University Information Security at Reporting a Security Incident [19] (preferred) or by telephoning (434) 924-4165.
Secure Deletion of Files
Any data, file, or information, including highly sensitive data [6] (HSD), that is no longer needed must be securely removed from the device [10] or media [9] using secure methods according to the Electronic Data Removal Procedures [20].
If destroying data [21] that
- is the official record [22] for the University, or
- does not exist elsewhere, or
- may or may not have met the required retention requirements,
users must comply with the University Records Management Policy [23] by completing of a Certificate of Records Destruction (RM3) [24] form.
Contact the Records Management Office for guidance [25].
3. Definitions
See the list of definitions [26] for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003) [5]
- Electronic Data Removal Standard [27]
- Electronic Data Removal Procedure [20]
- Record Management Policy [23]
- Cybersecurity Awareness for Faculty and Staff [28]
- Security of Network Connected Devices [29]
- University Data Protection Standards [30]
- University Use of Highly Sensitive Data Standard [31]
- Health Information and Technology Service Request form [12]
- Policy IT-001: Technology Acquisition - Acquisition of IT-Enabled Resources Connecting to Health System Resources [13]
5. Exceptions
If you cannot meet this standard’s requirements, you must use the exception request process [16].