Electronic Storage of Highly Sensitive Data FAQs
- Who is responsible for removing the highly sensitive data from my drive?
- What is "highly sensitive data" in the context of the policy?
- What about paper documents containing highly sensitive date?
- I am not sure if certain files need to be retained. Whom do I talk to?
- I have some personal files on on my hard drive that contain sensitive information about me. Do I need to securely delete them as well?
- What about existing contracts with third-parties?
Answers to Frequently-Asked Questions
Unless you have received explicit notice from your department or school outlining a different process, you are responsible for completing the steps outlined in the guidance document. For example, the Medical Center and the Darden School are handling certain of these steps centrally for devices that they manage (you may still be responsible for personally-owned or personally-managed devices). If you are unsure about what you are responsible for, please check with your department.
What is "highly sensitive data" in the context of the policy?
For purposes of this policy, highly sensitive data currently include personal information that can lead to identity theft if exposed (i.e. Social Security numbers, passport numbers, driver's license numbers, financial account numbers) and health information that reveals an individual’s health condition and/or history of health services use (e.g., personally identifiable medical records). While other types of sensitive data, such as student names in combination with course grades obviously exist, the negative impact of unauthorized exposure of data specifically covered by this policy is especially acute. For additional details, see the full definition from the policy.
This policy does not apply to non-electronic records. However, please note that these data do require protection under the University's Protection and Use of Social Security Numbers Policy (see also the SSN Initiative page) and the University's HIPAA compliance efforts.
The best source of information is the data or process owner, who should be able to tell you whether or not the information is subject to the University and state's retention requirements; cf. the University's policy on Records Retention for related requirements and procedures. In general, copies may be disposed of or redacted as long as the official record is retained as required by law.
Although the policy only applies to data collected on behalf of the University, it would be smart to protect yourself by removing any highly sensitive data referring to yourself from your device. The University is not responsible if your own personal information is exposed as the result of your failure to protect it.
Approval is not required for contracts existing at the effective date of the policy. Any contract subsequent to the policy effective dates requires written approval from the appropriate vice president or dean.
Questions regarding specific devices and process within your department, contact your IT support personnel.
For questions regarding the Identity Finder software, see UVa's Identity Finder page.
Questions regarding this policy should be directed to