Guidelines for Securing Legally Protected Data

As a university, we handle several forms of sensitive data. If you work with personally identifiable information of any kind—such as personal financial, academic record, or health related data—it is likely protected by privacy and/or security laws.

Do you manage legally protected data? If so, read on.

This website provides an overview of three key federal laws (FERPA, GLBA, and HIPAA) that govern the handling of certain types of sensitive information must be protected by those authorized to use it. Department chairs/managers and IT staff should reference the more detailed IT Security Risk Management Program. There are other federal laws, as well as Commonwealth of Virginia laws, that also might apply to the institutional information you access. Faculty and staff should consult with their department chairs/managers to learn more about those laws.

Definitions of Legally Protected Data—FERPA, GLBA, and HIPAA

Definition of FERPA Data

The Family Educational Rights and Privacy Act (FERPA) requires the University to protect the confidentiality of student educational records. These include academic records, financial records, disciplinary records, medical records and placement office records. FERPA restricts access and release of student information. The University may disclose personally-identifiable information designated as directory information from a student's education records without prior consent, unless the student informs the Office of the University Registrar in writing, that directory information should not be released without written consent. This certification does not preclude the verification of degrees awarded. A complete list of what is considered “directory information” is maintained by the Office of the University Registrar.

Definition of GLBA Data

The Gramm-Leach-Bliley Act (GLBA) includes regulations to protect consumers' personal financial information. Only a few departments at the University provide financial services that must be managed according to the security provisions of the GLBA, which is also known as the Financial Services Modernization Act. The following questions are helpful in determining if you handle data subject to this law:

  • Do you collect personal financial information pursuant to issuing credit, including credit cards? (Accepting credit does not apply.)
  • Do you collect personal financial information pursuant to granting loans?
  • Do you collect payments on which interest is paid? (Deferred payment plans that do not charge interest do not apply.)
  • Do you broker investments or mortgages?
  • Do you provide financial advice for a fee?
  • Do you collect personal financial information pursuant to any other “financial product or service”? (Think about the services banks, brokerages and insurance companies provide.)
  • Have you negotiated a contract with a financial service provider or do you plan to do so in the future?

Definition of HIPAA Data

HIPAA (Health Insurance Portability and Accountability Act) places significant privacy and security requirements on health care practitioners and researchers. Rigorous privacy and security safeguards are necessary to minimize the risk of inappropriate use of data covered by HIPAA. If you handle medical information that is combined in any way with one or more of the following personal health identifiers (PHI), then HIPAA governs it use.

  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalents—except for the initial three digits of a zip code if, according to the current publicly-available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual

Your responsibility to safeguard institutional data

The University takes its responsibility to protect sensitive institutional data very seriously and requires all those granted access to this information to preserve and protect it. Requirements for data confidentiality and privacy must be observed, and use of these data for anything but the conduct of University business is strictly forbidden. Listed below are general steps individuals should follow to help meet these requirements. Faculty and staff should consult with their department chairs/managers for additional guidance.

  • Log off your computer when you leave your desk and use a password-protected screen saver. Keep information displayed on your screen confidential, just as you would keep confidential printed material on your desk or in your files away from wandering glances.
  • Reformat used diskettes and rewritable CDs and use them again. Destroy diskettes, CDs, and other electronic media when they are no longer reusable. Do not recycle any that contain sensitive data or University-licensed software.
  • Lock your diskettes, CDs, and other electronic media in your desk or in a locked, fire-resistant cabinet.
  • Follow University-approved policy when surplusing electronic devices such as desktop computers, laptops, and PDAs; when returning them to a leasing company; or when transferring them from one University employee to another employee who has different software and data access privileges.
  • Do not use email for sending confidential information, or when there would be concern if all or part of the email were forwarded to other parties.
  • Use of a mobile device, such as PDA, Blackberry, or text-enabled pager, for sending and receiving messages containing confidential information is especially discouraged, because a mobile device can be easily lost or stolen. All messages containing confidential University information should be promptly deleted.
  • Apply the security safeguards not just to on-site devices and data, but also to protect devices and data taken off University premises. Special precautions are necessary for small portable devices, such as laptops and PDAs, which can be easily lost or stolen. Home computers must not be used to store University data.
  • If you become aware that sensitive University data may have been inappropriately exposed, you are required by UVa policy to report it to appropriate University officials.
  • Your electronic data files are extensions of printed files in your care. It is your responsibility to ensure that both electronic and paper files in your keeping be safeguarded, especially if they contain sensitive information—such as data about individual students, employees, patients, research participants, donors, and others. If you are unsure what is expected of you, ask questions.

Where can I get more information on data policies?

University computing policies and applicable laws are summarized in the Responsible Computing Handbook. If you access Medical Center computer systems, find additional security policies on the Health Systems Computing Security website.

ITC offers a data storage service that is in compliance with regulations regarding legally protected data. Learn more about this service. >>

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.