Electronic Storage of Highly Sensitive Data
Here are definitions for key terms in the University's policy on Electronic Storage of Highly Sensitive Data and related guidance. These definitions come from the full text of the University's policy.
Individual-Use Electronic Devices
Computer equipment, whether owned by the University or an individual, that has a storage device or persistent memory, such as desktop computers, laptops, tablets, smart phones, and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g. EKG machines), etc.
Individual-Use Electronic Media
All media, whether owned by the University or an individual, on which electronic data can be stored, including but not limited to external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g. thumb drives).
Highly Sensitive Data
For purposes of this policy, highly sensitive data currently include personal information that can lead to identity theft if exposed and health information that reveals an individual’s health condition and/or history of health services use. While other types of sensitive data, such as student names in combination with course grades obviously exist, the negative impact of unauthorized exposure of data specifically covered by this policy (and described in detail below) is especially acute.
Personal information that, if exposed, can lead to identity theft. "Personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements about the individual:
- Social security number;
- Driver’s license number or state identification card number issued in lieu of a driver’s license number;
- Passport number; or
- Financial account number, or credit card or debit card number.
Health information that, if exposed, can reveal an individual’s health condition and/or history of health services use. “Health information”, also known as “protected health information (PHI)”, includes health records combined in any way with one or more of the following data elements about the individual:
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual
- The Vice President or Dean responsible for the department with which the individual is primarily affiliated must state in writing that such storage is an essential business need and must file the written statement and approval in a secure location for subsequent audit purposes. The Vice President or Dean must also ensure the individual has a signed Electronic Access Agreement on file with the human resources department of the University, Medical Center, or Health Services Foundation.
- Highly sensitive data must be securely encrypted on the electronic device or media, according to encryption methods recommended by the University IT Security & Policy Office or, for Health Systems Computing Services (HSCS) users, the HSCS Security Office.
- A login password must be enabled for the electronic device and, if available, the electronic media. The password must meet or exceed appropriate complexity levels. The password must not be shared with anyone.
- A password-protected screen saver, if available, must be enabled on the electronic
device and set to activate after a maximum of ten minutes of user inactivity. The password
must meet or exceed
appropriate complexity levels. The password must not be shared with anyone. (Exception: Use of a password-protected screen saver is not required if such use would disrupt patient care, such as operating rooms, radiological reading rooms, and procedure rooms.)
- The electronic device must at a minimum employ the basic security guidelines described on the “Securing Electronic Devices” webpage.
- The data must be deleted from the individual-use device or media, as soon as they are no longer required, using secure methods according to the Electronic Data Removal Policy and the Records Retention and Disposition Policy.
- Management of the electronic device may not be outsourced to any party external to the University without written approval from the Vice President or Dean responsible for the department with which the individual is primarily affiliated. The Vice President or Dean must file the written statement and approval in a secure location for subsequent audit purposes. (Exception: Approval is not required, if on the effective date of this policy, management of the electronic device is already outsourced under an existing University contract.)
Contact and Questions
Check the FAQs for additional information.
Questions regarding specific devices and process within your department should be directed to your departmental IT support personnel.
See UVa's Identity Finder page for questions regarding the Identity Finder software.
Questions regarding this policy should be directed to