Protection of Highly Sensitive Data Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Protecting Highly Sensitive Data
     b) Required Reporting of the Loss of Highly Sensitive Data (HSD)
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]


1. Purpose and Background

The University of Virginia Data Protection of University Information (IRM-003) policy requires that all those who access, collect, display, generate, process,  store, or transmit highly sensitive data (HSD) follow UVA policies, standards, and procedures as well as federal and state laws and regulations, and contractual obligations to ensure the highest level of security and confidentiality is applied to HSD.  

This standard and its associated procedure detail the requirements that must be met to safeguard HSD while engaging in any processes involving these data.This standard applies to all departments and users who access, collect, display, generate, process,  store, or transmit highly sensitive data (HSD)  on behalf of the University, including the Academic Division, Medical Center, College at Wise, and University-Associated Organizations.


[Table of Contents]

2. Standards

Protecting Highly Sensitive Data

The University of Virginia accesses, collects, displays, generates, processes, stores, and transmits highly sensitive data while conducting approved University business and research, and as required by law. The University classifies several types of information as highly sensitive data and specifies how these data must be protected.

In accordance with the University of Virginia IRM-003: Protection of University Information policy:

In accordance with University of Virginia IRM-003: Data Protection of University Information policy,  the University agrees to the following:

  • The University will NOT print HSD on identification cards or badges or include HSD in magnetic strips or bar codes;
  • The University will NOT use HSD as account numbers or identifiers for individuals in new electronic or non-electronic records or record systems unless needed for an approved purpose or required by law.
  • The University agrees to inform individuals who are asked to supply Social Security Numbers (SSNs) whether the SSN is legally required or if they may refuse.  They will also be informed of any specific consequences of providing or not providing this information. 

Required Reporting of the Loss of Highly Sensitive Data (HSD)

  • The loss, theft, or unauthorized disclosure of highly sensitive data s a security incident that must be reported within one (1) hour from the time the incident is identified.  Report the incident at the "Reporting a Security Incident” webpage (preferred) or by telephoning (434) 924-4165.   
  • If an  individual-use electronic device  or media is lost or stolen, the loss or theft must be reported to the police in the location where the theft or loss occurred as well as to University Information Security at "Reporting a Security Incident” (preferred) or by telephoning (434) 924-4165.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you cannot meet this standard’s requirements, you must use the policy exception request process.

[Table of Contents]

APPROVER: Chief Information Officer