Policy: Electronic Storage of Highly Sensitive Data
|Date: 06/19/08||Policy ID: IRM-015||Status: Final|
|Contact Office:||Information Security, Policy, and Records Office|
|Oversight Executive:||Vice President and Chief Information Officer|
|Applies To:||Academic Division, Medical Center, College at Wise, and University-related Foundations.|
|Table of Contents:|
|Reason for Policy:||The University of Virginia is strongly committed to maintaining the privacy and security of confidential personal information and other highly sensitive data it collects. It expects all those who store such information to treat these data with the utmost care. There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected. The purpose of this policy is to highlight specific requirements that must be met by all who store highly sensitive University data on individual-use electronic devices or electronic media, regardless of whether those are owned by the University or the individual. This policy does not supplant any other policies, legal requirements, or contractual obligations.|
|Definition of Terms in Statement:||
Individual-Use Electronic Devices: Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g., EKG machines), etc.
Individual-Use Electronic Media: All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).
Highly Sensitive Data: For purposes of this policy, highly sensitive data currently include personal information that can lead to identity theft if exposed and health information that reveals an individual’s health condition and/or history of health services use. While other types of sensitive data, such as student names in combination with course grades obviously exist, the negative impact of unauthorized exposure of data specifically covered by this policy (and described in detail below) is especially acute.
The risk of unauthorized disclosure of highly sensitive data is very high when such data are stored on individual-use electronic devices and media, since these items are easily stolen. The University, therefore, strictly limits the circumstances under which highly sensitive data may be stored on these devices and media. It further mandates that all of the requirements that follow be met when highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media. It is the responsibility of individuals to determine if they have highly sensitive data on their device(s) and media and, if so, to ensure compliance with this policy.
As noted earlier, it is the responsibility of individuals to determine if they have highly sensitive data on their individual-use device(s) and media and, if so, to ensure compliance with this policy. Failure to comply with requirements of this policy will result in disciplinary action up to and including termination.
Finding and Removing Sensitive Data – Easy to use University-provided software is available to help individuals locate certain personal information on their computers. Once installed, the software will scan all computer files and list those that appear to include social security numbers, credit card numbers, or, optionally, medical record numbers. The software presents the user with options for handling the files. In addition to periodically running this software, individuals should routinely delete files in a secure manner when they are no longer needed. Guidance for securely deleting files can be found here.
Request and Approval Form – An individual requesting approval to store highly sensitive data on his or her individual-use electronic device or media must complete the form and submit it to his or her department head/chair. If the department head/chair supports the request, he or she must forward the forms to the appropriate vice president or dean for approval.
University-provided Software for Locating Personal Information
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104-191 and implementing regulations issued by the U.S. Department of Health and Human Services including Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164 (“Privacy Rule” )
|Policy Background:||Phased Compliance Strategy – Because of the magnitude of effort, the University of Virginia originally adopted a risk-based, phased approach for implementing this policy, with portable devices and media prioritized for quick action following the 6/19/2008 effective date and compliance for all individual-use electronic devices and electronic media required by 7/1/2009.|
|Major Category:||Information Resource Management|
|Category Cross Reference:|
|Next Scheduled Review:||06/19/14|
|Approved By, Date:||Executive Vice President and Chief Operating Officer, 06/19/08|
|Revision History:||Updated 9/17/13, 7/28/11.|
|Supersedes (previous policy):|