Table of Contents
1. Purpose and Background
The University of Virginia is strongly committed to maintaining the privacy and security of highly sensitive data (HSD) it collects. There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected during use. The purpose of the standard, and its associated policy. is to provide an overview of controls and best practices used by the University to meet or exceed legal and contractual requirements to safeguard HSD while engaging in business processes involving these data. This standard applies to all users who store, collect, transmit, generate or display highly sensitive data (HSD) see Definition on behalf of the University, including the Academic Division, Medical Center, College at Wise, and University-related Foundations.
Protecting Highly Sensitive Data During Use
The University of Virginia collects and maintains highly sensitive data while conducting approved University business, and as required by law. The University classifies several types of information as highly sensitive data and specifies how this class of data is to be protected during use.
In accordance with this standard the University agrees to the following:
- HSD will be handled in compliance with University policies, applicable regulations, and laws thus ensuring the highest level of security and confidentiality is applied to HSD.
- Access, generation, collection, storage, and transmission of HSD will only be allowed when essential and approved for business processes or to fulfill required legal or tax obligations.
- The display of HSD on computer screens, reports, and other view formats will be limited to only those with authorized access.
- Electronic copies of HSD will be provided only to authorized personnel when essential for an approved business purpose.
- Storage of HSD on individual-use electronic devices and media will be allowed only with prior approval.
- Authorize the fewest number of people possible to access SSNs or other HSD in both electronic and non-electronic form.
- University departments are required, as part of an annual Information Security Risk Management program to maintain an accurate inventory of HSD repositories within the department and to ensure that the users with access to each HSD repository match approved access;
- Data stewards are appointed to grant access to stored HSD only if necessary for an approved business purpose;
- Electronic and non-electronic HSD will be securely destroyed following the period of business use or relevant retention period in accordance with University policies Data Protection of University Information (IRM-003) and IRM-017, Records Management and the Electronic Data Removal Procedures.
- The University will NOT print HSD on identification cards or badges or include HSD in magnetic strips or bar codes;
- The University will NOT use HSD as account numbers or identifiers for individuals in new electronic or non-electronic records or record systems unless needed for an approved purpose or required by law.
Additional Controls Governing the Use of Social Security Numbers
In addition to the above listed controls for other types of highly sensitive data, the University applies supplemental handling controls to Social Security numbers (SSNs):
- The University agrees to inform individuals who are asked to supply SSNs whether the SSN is legally required, of if they may refuse. They will also be informed of any specific consequences of providing or not providing the information.
Approvals Required for New Use of HSD
Any new business process involving the collection, display, and/or transmission(s) of HSD must be approved prior to implementation. Requests are initiated via email to the University Information Security office at email@example.com. This written request must include the following information:
- Essential business need for the proposed use of SSNs;
- Detailed description of how the SSNs will be collected, stored, displayed, and/or transmitted, including any hardware or software involved;
- Name and contact information of both the requestor and a technical contact for the department/area.
Following any initial approval by the Information Security office, requestors must:
2. After approval by both Information Security office and appropriate Data Steward, seek the approval of the vice president or dean responsible for the department making the request.
Approvals must be stored by the requestor and affiliated department for subsequent audit purposes.
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- University Data Protection Standards
- Data Loss Prevention (DLP) tools
- Records Retention and Disposal Policy (IRM-017)
- Highly Sensitive Data Standard
- Highly Sensitive Data Storage Request Form (approvalform.doc)
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.