Electronic Storage of Highly Sensitive Data

Definitions for key terms in the University's policy on Electronic Storage of Highly Sensitive Data and related guidance.

Definitions

These definitions come from the full text of the University's policy on Electronic Storage of Highly Sensitive Data.

Individual-Use Electronic Devices
Computer equipment, whether owned by the University or an individual, that has a storage device or persistent memory, such as desktop computers, laptops, tablet PCs, BlackBerrys and other personal digital assistants (PDAs), and smart phones. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g. EKG machines), etc.
Individual-Use Electronic Media
All media, whether owned by the University or an individual, on which electronic data can be stored, including but not limited to external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g. thumb drives).
Highly Sensitive Data
For purposes of this policy, highly sensitive data currently include personal information that can lead to identity theft if exposed and health information that reveals an individual’s health condition and/or history of health services use. While other types of sensitive data, such as student names in combination with course grades obviously exist, the negative impact of unauthorized exposure of data specifically covered by this policy (and described in detail below) is especially acute.
  1. Personal information that, if exposed, can lead to identity theft. "Personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements about the individual:
    1. Social security number;
    2. Driver’s license number or state identification card number issued in lieu of a driver’s license number;
    3. Passport number; or
    4. Financial account number, or credit card or debit card number.
  2. Health information that, if exposed, can reveal an individual’s health condition and/or history of health services use. “Health information”, also known as “protected health information (PHI)”, includes health records combined in any way with one or more of the following data elements about the individual:
    1. Names
    2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people, and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
    3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    4. Telephone numbers
    5. Fax numbers
    6. Electronic mail addresses
    7. Social security numbers
    8. Medical record numbers
    9. Health plan beneficiary numbers
    10. Account numbers
    11. Certificate/license numbers
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers
    14. Web Universal Resource Locators (URLs)
    15. Internet Protocol (IP) address numbers
    16. Biometric identifiers, including finger and voice prints
    17. Full face photographic images and any comparable images; and
    18. Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual
Mobile Devices
Laptops, tablet PCs, BlackBerrys and other personal digital assistants (PDAs) and smart phones.

Security Requirements

All of the following requirements must be met when highly sensitive data must unavoidably be stored on individual-use electronic devices or electronic media:

  1. The Vice President or Dean responsible for the department with which the individual is primarily affiliated must state in writing that such storage is an essential business need and must file the written statement and approval in a secure location for subsequent audit purposes. The Vice President or Dean must also ensure the individual has a signed Electronic Access Agreement on file with the human resources department of the University, Medical Center, or Health Services Foundation.
  2. Highly sensitive data must be securely encrypted on the electronic device or media, according to encryption methods recommended by the University IT Security & Policy Office or, for Health Systems Computing Services (HSCS) users, the HSCS Security Office.
  3. A login password must be enabled for the electronic device and, if available, the electronic media. The password must meet or exceed appropriate complexity levels. The password must not be shared with anyone.
  4. A password-protected screen saver, if available, must be enabled on the electronic device and set to activate after a maximum of ten minutes of user inactivity. The password must meet or exceed appropriate complexity levels. The password must not be shared with anyone. (Exception: Use of a password-protected screen saver is not required if such use would disrupt patient care, such as operating rooms, radiological reading rooms, and procedure rooms.)
  5. The electronic device must at a minimum employ the basic security guidelines described on the “Securing Electronic Devices” webpage.
  6. The data must be deleted from the individual-use device or media, as soon as they are no longer required, using secure methods according to the Electronic Data Removal Policy and the Records Retention and Disposition Policy.
  7. Management of the electronic device may not be outsourced to any party external to the University without written approval from the Vice President or Dean responsible for the department with which the individual is primarily affiliated. The Vice President or Dean must file the written statement and approval in a secure location for subsequent audit purposes. (Exception: Approval is not required, if on the effective date of this policy, management of the electronic device is already outsourced under an existing University contract.)

Contact and Questions

  • Check the FAQs for common questions.
  • Questions regarding specific devices and process within your department should be directed to your departmental IT support personnel.
  • For questions regarding the Identity Finder software, see UVa's Identity Finder page.
  • Questions regarding this policy should be directed to the it-policy@virginia.edu.

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.