Guidance on Electronic Storage of Highly Sensitive Data Policy
The risk of unauthorized disclosure of highly sensitive data is very high when such data are stored on individual-use electronic devices and media, since these items are easily stolen. Highly sensitive data currently include personal information that can lead to identity theft if exposed (e.g., name in combination with SSN) and information that reveals an individual’s health condition and/or history of health services use (e.g., personally identifiable medical records). The University, therefore, strictly limits the circumstances under which highly sensitive data may be stored on these devices and media. It further mandates that strict security requirements be met when highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media. It is the responsibility of individuals to determine if they have highly sensitive data on their device(s) and media and, if so, to ensure compliance with this policy.
Note: Unless you have received explicit notice from your department or school outlining a different process, you are responsible for completing the steps below. For example, the Medical Center and the Darden School are handling certain of these steps centrally for devices that they manage (you may still be responsible for personally-owned or personally-managed devices). If you are unsure about what you are responsible for, please check with your department.
Policy on Electronic Storage of Highly Sensitive Data
What’s the Policy?
Full text: University's policy on Electronic Storage of Highly Sensitive Data
Synopsis: Highly sensitive data can only reside on individual-use devices and media with the approval of the responsible vice president or dean, and then only if the data are encrypted and the device and/or media are protected by strict security requirements.
Application: This policy applies to all faculty, staff, and others who electronically store highly sensitive data collected on behalf of the University, including the Academic Division, Medical Center, College at Wise, and University-related Foundations. This policy applies to all highly sensitive University data stored on individual-use electronic devices or electronic media, regardless of whether those devices or media are owned by the University or the individual. This policy does not supplant any other policies, legal requirements, or contractual obligations.
Policy implementation: This policy applied to mobile devices and media effective June 19, 2008; it was effective for desktop computers as of July 1, 2009. It is the responsibility of individuals to determine if they have highly sensitive data on their individual-use device(s) and media and, if so, to ensure compliance with this policy. Failure to comply with requirements of this policy will result in disciplinary action up to and including termination.
What Do I Need To Do?
Because of the magnitude of effort, the University of Virginia has adopted a risk-based, phased approach for implementing this policy. The compliance phases are:
Phase 1: Desktop computers, laptops, tablets, smart phones, other mobile devices, and electronic media
Since the small size and portability of mobile devices and media make them a higher risk for theft, achieving policy compliance for these items takes priority over compliance for desktop computers. In Phase 1 the process of compliance begins on the policy's effective date and quick action on each step outlined below is needed. Individuals are required to:
Easy to use University-provided software is available to help individuals locate certain personal information on their computers. Once installed, the software will scan all computer files and list those that appear to include social security numbers, credit card numbers, or medical record numbers. The software presents the user with options for handling the files.
If you find no highly sensitive data on any of your mobile devices or media, you are done with this step and can move on to reviewing your desktop devices.
In addition to periodically running this software, individuals should routinely delete files in a secure manner when they are no longer needed.
If highly sensitive data are found, you must either:
Securely delete any highly sensitive data you find that are not needed for an approved business purpose or official records retention.
Move any highly sensitive data you find to a secure server if the data are needed for an approved business purpose or official records retention.
If assistance is needed accessing server space, please contact your department's IT support personnel or ITS's MicroSystems group.
If the highly sensitive data must be kept on your mobile device or media, then...
Get the responsible vice president or dean’s written approval. Complete this form and submit it to your department head/chair. If your department head/chair supports the request, he or she must forward the forms to the appropriate vice president or dean for approval.
Both while waiting for approval and after receiving approval, the highly sensitive data must be protected
Encrypt the device or media.
Follow strict security requirements to protect the device or media
Individuals who are denied approval to store highly sensitive data must securely delete the data from their mobile device(s) and/or electronic media.
Phase 2: Desktops
The process for bringing desktop computers into compliance is the same as that for mobile devices and media described above. Compliance for desktop computers may be addressed as part of efforts by schools, departments, divisions, and business units to implement the Protection and Use of Social Security Numbers Policy. These plans must be completed by July 1, 2008 and they must be implemented by July 1, 2009.
What’s My Department and the University Doing?
SSN Initiative: This policy protecting highly sensitive data complements the University's Protection and Use of Social Security Numbers Policy. In order to meet the SSN policy requirements, departments need to get approval before using SSNs in any new way. By July 1, 2008, departments will need to identify all records and records systems within their purview that use SSNs, and develop a remediation plan, which, following approval, must be implemented by July 1, 2009.
If Your Device or Media Containing Highly Sensitive Data is Lost or Stolen...
If a device or media of yours containing highly sensitive data is lost or stolen, please immediately 1) report it to the UVa police (911 from on Grounds), and 2) follow the directions at "Reporting a Security Incident."
Contact and Questions
Check the FAQs for common questions.
Questions regarding specific devices and process within your department, contact your IT support personnel.
For questions regarding the Identity Finder software, see UVa's Identity Finder page.
Questions regarding this policy should be directed to the firstname.lastname@example.org.