Protection of Highly Sensitive Data Procedure

Table of Contents

1.  Purpose and Background
2.  Procedures
     a) HSD on Individual-Use Devices or Media
     b) Access to UVA systems with HSD
         1) High Security VPN (HSVPN)
         2) Health IT (HIT) VPN
     c) Approvals Required for New Use of HSD
         1) Who to contact?
         2) Written Request Information
         3) Completing approval 
3.  Definitions
4.  Related Links
5.  Further Guidance
6.  Exceptions

[Return to Library]

REVISION HISTORY: New 12/2/2022

1. Purpose and Background

The University of Virginia Data Protection of University Information (IRM-003) policy requires that all departments and users who access, collect, display, generate, process, store, or transmit highly sensitive data (HSD) follow UVA policies, standards, and procedures as well as federal and state laws and regulations, and contractual obligations to ensure the highest level of security and confidentiality is applied to HSD.     

This procedure details the requirements that must be followed to safeguard HSD while engaging in any processes involving these data.  This procedure applies to all who access, collect, display, generate, process, store, or transmit, highly sensitive data (HSD) on behalf of the University, in the Academic Division, the University of Virginia Health System, University of Virginia‘s College at Wise (Wise), and University Associated-Organizations (UAOs)

[Table of Contents]

2. Procedures

HSD on Individual-Use Devices or Media

Before highly sensitive data (HSD) can be stored on any individual-use electronic device or media approval for such storage must be granted.  This requirement applies to the Academic Division, the College at Wise, University Associated-Organizations, and Health System users.

The Highly Sensitive Data Protection for Individual-Use Electronic Devices or Media standard provides information about requirements for the request and storage of HSD on an individual-use electronic device (e.g., laptop) or media (e.g., USB thumb drive), regardless of who owns the device or media. 

Access to UVA systems with HSD

Any server, device, or system designed to be accessed by multiple users simultaneously that accesses, collects, displays, generates, processes, stores, or transmits highly sensitive data (HSD) must be on a network that: 

  • uses the UVA High Security Virtual Private Network (HSVPN), or 
  • uses the Health Information and Technology (HIT) Virtual Private Network (VPN) or 
  • has been reviewed and approved by the University Information Security office. 

Both the UVA High Security Virtual Private Network (HSVPN) and the Health Information and Technology (HIT) Virtual Private Network (VPN) require the installation of assessment software that checks the security posture of the device each time it connects to the VPN.  Below are the details for each UVA VPN.

High Security VPN (HSVPN)
Health Information and Technology (HIT) VPN 

Approvals Required for New Uses of HSD

  • Any new business process using any system or process that has not been previously reviewed by the University Information Security office for the collection, generation, transmission, display, processing, or storage of HSD;
  • Any new business process or system that is mission critical; and/or 
  • Any new business process that involves engaging a third-party vendor who will access, collect, display, generate, process, store, or transmit HSD and/or provide services/systems that are mission critical must be approved prior to implementation.  See the Vendor Security Review standard for details. 
Who to contact

Anyone in the UVA Academic Division, the UVA’s College at Wise, or a University-Associated Organization (UAO) initiates a requests by emailing the University Information Security office to [email protected].

Anyone in the Health System initiates requests by emailing the Health Information and Technology Information Security office at [email protected]

Written Request Information

The written request must include the following information:

  1. Essential business need for the proposed use of HSD or mission critical service;
  2. Detailed description of how the HSD will be accessed, collected, displayed, generated, processed, stored, and/or transmitted, including any hardware or software involved;
  3. Name and contact information of both the requestor and a technical contact for the department/area.
  4. If a third-party vendor is used, a Service Organization Control 2 (SOC 2) Type II report must be submitted PRIOR to procurement as required by the Vendor Security Review Standard.
Completing approval

After initial approval by the appropriate Information Security office, the following approvals must be obtained before proceeding with the proposed use of HSD.

  1. Approval from the appropriate Data Trustee, Data Steward, or Deputy Data Steward who has responsibility for the HSD repository to be accessed.
  2. Approval of the vice president or dean responsible for the department making the request.

Approvals must be stored by the requestor and affiliated department for subsequent audit purposes.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Further Guidance

[Table of Contents]

6. Exceptions

If you cannot meet this procedure’s requirements, you must use the policy exception request process.

[Table of Contents]

APPROVER: Chief Information Security Officer