Substantive Change: University Use of Highly Sensitive Data Standard

Last modified
May 6, 2024 - 9:42am

The standard, University Use of Highly Sensitive Data, was extensively change and renamed to Protection of Highly Sensitive Data Standard.   The standard was revised to describe what everyone must do to protect Highly Sensitive Data (HSD), not just what the University must do.   In addition, user procedures were contained in the old standard. This revision breaks these procedures,  appropriately, out into its own document Protection of Highly Sensitive Data Procedure.

Reviewing carefully the revised standard and new procedure is highly recommended.


The list of items was revised under “the University agrees to the following” in the Protecting Highly Sensitive Data During Use section to be what users agree to do (or not do) rather than the University. 

The item under the section, “Additional Controls Governing the Use of Social Security Numbers”  was included in a new section with two other items from the earlier list (and the section header removed).
It was made clear that these are things the University agrees not to do with HSD in general and SSNs in particular.

Approvals Required for New Use of HSD section was moved to the Procedure document with the same heading. 


The Purpose and Background was revised to specify the UVA agencies and users to which it applies as well as reference to the University of Virginia Data Protection of University Information (IRM-003) policy.

The requirement, which has existed for years, to have approval prior to storing HSD on an individual-use electronic device or media.

The Procedure  document did not exist before. It includes: 

  • Requirement for approval before storing HSD on HSD on individual-use electronic device or media  
  • A section on the requirements for Access to UVA systems with HSD
    •   All servers that have HSD are on a network that requires either the HSVPN or the HIT VPN or have been previously approved by InfoSec.
    •   HSVPN and Health Information & Technology (HIT) VPN audience and requirements
  • Additional detail about who to contact depending on what division you are in: Academic, Wise, UAO, or Health System.
  • Written Request Information” section that takes some information from the old standard in the “Approvals Required for New Use of HSD” section.  It was expanded to include who must request approval, from whom, providing what information. 

Multiple new Related Links were added to both the standard and the procedure