IRM-003: Data Protection of University Information

Date: 10/23/2017 Status: Final
Last Revised: 10/23/2017
Policy Type: University
Oversight Executive: Chief Information Officer
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Related Foundations.
Reason for Policy:

The University of Virginia is strongly committed to maintaining the privacy and security of confidential personal information and other data it collects. It expects all those who store such information to treat these data with the utmost care in order to protect the privacy and legal rights of the University community.

There are various University policies, federal and state laws and regulations, and contractual obligations that govern how such data must be protected. This policy does not supplant any other policies, legal requirements, or contractual obligations related to the data.

This policy is essential to compliance with state and federal data privacy statutes and with software licensing agreements

In addition, this policy seeks to minimize the risks of:

  1. exposing data (regardless of format - electronic or paper) to individuals unauthorized to view the data; and
  2. transferring software to those not licensed to use it.

The consequences of unauthorized release of sensitive data are increasing due to Commonwealth of Virginia and federal regulations and growing public concern over privacy and identify theft. In addition, the University is bound by software licensing agreements not to allow unauthorized software use. Without this policy, the risks of data exposure and unauthorized software use would be significant given that, for example:

  • Electronic devices and media sent to Surplus Property may be sold or donated to non-profit groups and the general public.
  • Electronic devices are returned to leasing companies when leases expire.
  • Electronic devices and media are sometimes transferred from one employee to another within the University, even when their job functions and accompanying software and data access privileges differ.
Definition of Terms in Statement:
  • Access (to data):

    The capacity for data users to enter, modify, delete, view, copy, or download data.

    • Data Users:

      Individuals who acknowledge acceptance of their responsibilities, as described in this policy, and its associated standards and procedures, to protect and appropriately use data to which they are given access; and meet all prerequisite requirements, e.g., attend training before being granted access.

  • Classified Data:

    Data whose sensitivity level falls within a hierarchical schema established by the federal government according to the degree to which unauthorized disclosure would damage national security. Access to classified data typically requires a formal security clearance level relative to the sensitivity of the classified data for which the access is requested. Ranging from most sensitive to least, those levels include Top Secret, Secret, Confidential, and Public Trust. The misuse of classified data may incur criminal penalties and significant reputational damage.

  • Controlled Technology:

    For purposes of this policy, this term includes any item, component, material, software, source code, object code, or other commodity specifically identified on the Commerce Control List [Part 774 of the Export Administration Regulations (EAR)] or U.S. Munitions List [Part 121 of the International Traffic in Arms Regulations (ITAR)]. This term also includes information to the extent required in the applicable regulation.

  • Data:

    Text, numbers, graphics, images, sound, or video and in any format, electronic or paper. The University regards data maintained in support of a functional unit's operation as University data if they meet at least one of the following criteria: If

    1. at least two administrative operations of the University use the data and consider the data essential;
    2. integration of related information requires the data;
    3. the University needs to verify the quality of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
    4. a broad cross section of University employees refers to or maintains the data;
    5. the University needs the data to plan; or
    6. created, received, maintained, and/or transmitted in the course of meeting the University’s teaching, research, public service, and healthcare missions.

    Some examples of such University-owned data include student course grades, patient records, employee salary information, research, vendor payments, and the University's annual Common Data Set.

  • Data Access Approvers:

    University (Academic Division, the Medical Center, and the College at Wise) officials who have responsibility for confirming that requests for access correctly map to what the data users need in the way of access to the specific components of a given application required to perform job duties, and for which they have appropriate training. (The Data Access Approver will be either the Data Steward, the Deputy Data Steward, or the Executive Data Steward.)

  • Data Stewards:

    University (Academic Division, the Medical Center, and the College at Wise) officials who have responsibility for determining the purpose and function of data within their assigned data domains. They (1) work to protect the accuracy, integrity, and (as appropriate) confidentiality of data; (2) have final sign-off authority for users seeking to access, retrieve, manipulate, or view data for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for decisions; and (3) work to make certain users have an understanding of the data to which they have access.

    • Deputy Data Stewards:

      Individuals who authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them.

    • Domain (of data):

      The entire collection of data for which a University employee assigned the role and responsibilities (link to revised resource) of an Executive Data Steward, Data Steward, or Deputy Data Steward is responsible. The data domain also includes rules and processes related to the data.

  • Electronic Device:

    Electronic equipment, whether owned by the University or an individual, that has a processor, storage device, or persistent memory, including, but not limited to: desktop computers, laptops, tablets, cameras, audio recorders, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, network-aware devices with embedded electronic systems (i.e., “Internet of Things”), supervisory control and data acquisition (SCADA) and industrial control systems, etc.

  • Electronic Media:

    All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).

  • Electronically Stored Information (ESI):

    Information created, manipulated, stored, or accessed in digital or electronic form.

  • Employee (5):

    An individual who is an employee (2), contractor employee, medical center employee, and/or foundation employee, as well anyone else to whom University IT resources have been extended. These include, but are not limited to, recently terminated employees whose access to University IT resources have not yet been terminated, deleted, or transferred, and individuals whose University IT resources continue between periods of employment. This also includes student workers, volunteers, and other individuals who may be using state-owned or University IT resources and carrying out University work.

    • Contractor Employee:

      An individual who is an employee of a firm that has a formal contractual relationship with the University and has been assigned to work at the University for the duration of the contract.

    • Employee (2):

      As used in this policy, includes all faculty (teaching, research, administrative and professional), professional research staff, university and classified staff employed by the University in any capacity, whether full-time or part-time, and all those employees in a wage or temporary status.

    • Foundation Employee:

      An individual who is an employee of one of the officially recognized University-related foundations.

    • Medical Center Employees:

      Individuals employed by the University of Virginia Medical Center in any capacity.

  • Executive Data Stewards:

    Senior University (Academic Division, the Medical Center, and College at Wise) officials who have planning and policy-level responsibilities for a large subset of the institution’s data resources. They: (1) oversee the implementation of this policy for their data domains; (2) determine the appropriate classification of institutional data (highly sensitive, moderately sensitive, internal use, and not sensitive) in consultation with executive management and appropriate others; and (3) appoint Data Stewards for their data domains.

  • Export and “Deemed Export”:

    An export is any shipment or transmission of controlled technology out of the U.S. The term "deemed export" is commonly used to refer to the release of controlled information (as specified in the regulations) to a foreign national in the U.S. Under the regulations, such a transfer is deemed to be an export to the individual’s home country.

  • Highly Sensitive Data:

    Data that require restrictions on access under the law or that may be protected from release in accordance with applicable law or regulation, such as Virginia Code § 18.2-186.6. Breach of Personal Information Notification. Highly Sensitive data (HSD) currently include personal information that can lead to identity theft. HSD also includes health information that reveals an individual’s health condition and/or medical history.

    Specific examples include, but are not limited to:

    • Any store or file of passwords or user-ids and passwords on any multi-user system or computer.
    • Personal information that, if exposed, can lead to identity theft. This may include a personal identifier (e.g., name, date of birth) as well as one of the following elements:
      • Social security number;
      • Driver’s license number or state identification card number issued in lieu of a driver’s license number;
      • Passport number; or
      • Financial account number, or credit card or debit card number, including any cardholder data in any form on a payment card.

    Also considered HSD are any form of personally identifying information in combination with social security number (SSN), driver’s license number, passport number and/or financial account number. For example, computing ID and driver’s license number, or home address and SSN.

    Note that credit card numbers can never be stored either alone or in combination with any other identifiers.

    • Health information is any information that, if exposed, can reveal an individual’s health condition and/or history of health services use, including information defined by Health Insurance Portability and Accountability Act (HIPAA) as protected health information (PHI).
    • Cardholder Data (CHD):

      Primary cardholder account number that identifies the issuer and a particular cardholder account, which can include cardholder name, expiration date and/or service code.

  • Individual–Use Electronic Devices:

    Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices. For purposes of this policy, the term does not include shared purpose devices, such as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, clinical workstations, medical devices (e.g., EKG machines), etc.

  • Individual–Use Electronic Media:

    All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and any externally attached storage devices (e.g., thumb drives).

  • Information Technology (IT) Resources:

    All resources owned, leased, managed, controlled, or contracted by the University involving networking, computing, electronic communication, and the management and storage of electronic data regardless of the source of funds including, but not limited to:

    • Networks (virtual and physical), networking equipment, and associated wiring including, but not limited to: gateways, routers, switches, wireless access points, concentrators, firewalls, and Internet-protocol telephony devices;
    • Electronic devices containing computer processors including, but not limited to: computers, laptops, desktops, servers (virtual or physical), smart phones, tablets, digital assistants, printers, copiers, network-aware devices with embedded electronic systems (i.e., “Internet of things”), and supervisory control and data acquisition (SCADA) and industrial control systems;
    • Electronic data storage devices including, but not limited to: hard drives, solid state drives, optical disks (e.g., CDs, DVDs), thumb drives, and magnetic tape;
    • Software including, but not limited to: applications, databases, content management systems, web services, and print services;
    • Electronic data in transmission and at rest;
    • Network and communications access and associated privileges; and
    • Account access and associated privileges to any other IT resource.
  • Internal Use Data:

    Data that is a public record available to anyone in accordance with the Virginia Freedom of Information Act (FOIA) but is also not intentionally made public (see the definition of public data). Examples may include salary information, contracts, and specific email correspondence not otherwise protected by a FOIA exemption. For a complete list, see Code of Virginia § 2.2-3700 Virginia Freedom of Information Act.

    • Public Record:

      Any writing or recording — regardless of whether it is a paper record, an electronic file, an audio or video recording or any other format — that is prepared or owned by, or in the possession of a public body or its officers, employees, or agents in the transaction of public business. Commonwealth of Virginia Code § 2.2-3701. All public records are presumed to be open and may be withheld only if a statutory exemption applies.

  • Moderately Sensitive Data:

    Data, records, and files that:

    Examples include information concerning the prevention of or response to cyber-attacks, or information that describes a security system used to control access to or use of an automated data processing or telecommunications system, or research records that do not contain Highly Sensitive Data, University ID numbers, i.e., those printed on University ID cards, and/or Family Educational Rights and Privacy Act-protected data not covered under the definition of “Highly Sensitive” data. This category of data also includes any data or record covered by the exemptions listed in the Commonwealth of Virginia Freedom of Information Act).

  • Public Data:

    Data intentionally made public and are therefore classified as not sensitive. Any data that are published and broadly available are, of course, included in this classification. University policy holds that the volume of data classified as not sensitive should be as large as possible because widespread availability of such information will enable others to make creative contributions in pursuit of the University's mission.

  • Record:

    Any document, file, computer program, database, image, recording, or other means of expressing information in either electronic or non-electronic form.

  • University Record:

    Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the University. Regardless of physical form or characteristic, the recorded information is a University record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of university business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is a University record. University records include but are not limited to: personnel records, student records, research records, financial records, patient records and administrative records. Record formats/media include but are not limited to: email, electronic databases, electronic files, paper, audio, video and images (photographs).

    • Research Record:

      One type of University record that includes, but is not limited to: grant or contract applications, whether funded or unfunded; grant or contract progress and other reports; laboratory notebooks; notes; correspondence; videos; photographs; X-ray film; slides; biological materials; computer files and printouts; manuscripts and publications; equipment use logs; laboratory procurement records; animal facility records; human and animal subject protocols; consent forms; medical charts; and patient research files.  In addition, research records include any data, document, computer file, computer diskette, or any other written or non-written account or object that reasonably may be expected to provide evidence or information regarding the proposed, conducted, or reported research that constitutes the subject of an allegation of research misconduct.

  • User:

    Everyone who uses University information technology (IT) resources. This includes all account holders and users of University IT resources including, but not limited to: students, applicants, faculty, staff, medical center employees, contractors, foundation employees, guests, and affiliates of any kind.

Policy Statement:

This policy applies to data in any format, electronic or paper (non-electronic) and to all users of the University’s information technology resources, regardless of location or affiliation.

Users must comply with all University policies and standards for the data to which they have been granted the ability to view, copy, generate, transmit, store, download, or otherwise acquire, access, remove, or destroy. Users must also meet any additional compliance requirements for data protection stipulated by various governmental, legal, or contractual entities, including, but not limited to, those defined for classified information, International Traffic in Arms Regulations (ITAR) covered data, Payment Card Industry (PCI) regulated data, Health Insurance Portability and Accountability Act (HIPAA) covered data, and Federal Educational Rights and Privacy Act (FERPA) covered data.

A user must protect any data to which s/he is granted access against unauthorized disclosure and must only use the data for the purpose(s) for which access to the data was granted. In this context, disclosure means giving the data to persons not authorized to have access to it. The University also forbids the use of any data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity.

The University expressly forbids the use of data for anything but the conduct of official University business. It is the responsibility of the user to:

  • verify the correct University data classification (i.e., highly sensitive data, moderately sensitive data, internal use or public data) of any data s/he views, collects, receives, generates, copies, transmits, stores, discloses, or otherwise acquires, accesses, removes, or destroys;
  • handle such data in compliance with this policy and its associated data protection standards and procedures, including, but not limited to, the University Data Protection Standards (UDPS);
  • observe requirements for confidentiality and privacy, including policy IRM-012, Privacy and Confidentiality of University Information; and
  • present the data accurately in any use.

The University and its users must comply with applicable local, state, and federal laws and regulations.

Investigations and/or urgent business needs sometimes require the collection of electronic communications and files that have been stored on University systems by employees or students. Access to electronically stored information (ESI) will only be done with proper approvals from authorizing University and Medical Center officials, as detailed in policy IRM-012, Privacy and Confidentiality of University Information.

Before the storage of highly sensitive data (HSD) on any individual-use electronic device or media, the vice president or dean responsible for the department with which the user is primarily affiliated, or, in the case of the Medical Center, its CEO or his/her designee who is responsible for the unit/area of the Medical Center with which the user is primarily affiliated, must approve in writing any collection, transmission, or storage on an individual-use electronic device or media. (See HSD Protection Standard for Individual-Use Electronic Devices or Media and Storage Request Form.)

Highly sensitive data must be securely encrypted on any electronic device or media, and while in transit to/from any electronic device or media, according to encryption methods recommended by the:

  1. University Information Security Office for academic users, or,
  2. Health Information and Technology Security Office for UVa Health System users.

Acceptable authentication must be enabled for every electronic device and, if available, electronic media. The acceptable authentication must meet or exceed appropriate complexity levels as defined in the University Data Protection Standards (UPDS).

Authentication must not be shared with anyone, or used to allow others access they are not otherwise granted.

The collection, storage, or transmission of University data may not be outsourced to any party external to the University that does not have a contract with the University without the written approval of the appropriate UVa Academic or Health System Chief Information Officer (CIO) or his/her designate. The requestor must keep the written statement and approval in a secure location for subsequent audit purposes.

  1. Data Release:
    All University data must be appropriately protected to provide for a controlled and lawful release. Access to legally restricted (e.g., Family Educational Rights Privacy Act - FERPA) or limited-access data by University users or non-UVa employees sponsored by a University manager, requires that a written request be made to the appropriate Executive Data Steward, Data Steward, or Deputy Data Steward, following the guidance in the Highly Sensitive Data Protection Standard.

    All software and data must be removed by University-approved procedures from electronic devices and electronic media that are returned to a leasing company or transferred from one University employee to another employee having different software and data access privileges. (All software and data on electronic devices and electronic media does not need to be removed if you are sending these items to the University’s approved surplussing unit.) When electronic devices are sent outside the University for repair, all data must be either encrypted or removed in accordance with University standards and procedures, or an exception to such standards granted, in writing, by the appropriate UVa Academic or Health System Chief Information Officer (CIO) or his/her designate

    The University’s policy IRM-017, Records Management must be used for guidance regarding what is required for the retention, disposition, and destruction of University records.

  2. International Travel:
    Traveling with or exporting any of the following requires prior approval from the Office of Export Control as detailed in the University’s policy FIN-043, Managing Exports of Controlled Technology to Foreign Persons and Destinations in Support of Research and Scholarship:

    • University-owned equipment (e.g., individual-use electronic devices or media such as a laptop or smartphone),
    • any University data that is not publicly available,
    • any controlled technology, or
    • technical information subject to publication or dissemination restrictions (which may include research results).
  3. Compliance with Policy:
    Any misuse of data or IT resources may result in the limitation or revocation of access to University IT resources. In addition, failure to comply with requirements of this policy and/or its standards may result in disciplinary action up to and including termination or expulsion in accordance with relevant University policies.

    Violation of this policy may also violate federal, state, or local laws.

    Questions about this policy should be directed to the Contact Office.

Procedures:
Data Protection
Standards and Procedures
Standards Procedures
Electronic Data Removal Electronic Data Removal
University Use of Highly Sensitive Data  
HSD Protection for Individual-Use Electronic Devices or Media HSD Protection for Individual-Use Electronic Devices or Media
Data Loss Prevention  
University Data Protection 3.0  
ESI Release ESI Release
  Exceptions
Related Information:

FIN-043, Managing Exports of Controlled Technology to Foreign Persons and Destinations in Support of Research and Scholarship

Procurement and Supplier Diversity Services Surplus Procedure

In addition to being a widely accepted security and privacy practice, effective data removal is required by state and federal regulations. See:

Gramm-Leach-Bliley Act of 1999, Standards for Safeguarding Customer Information; Final Rule

Health Insurance Portability and Accountability Act of 1996 Health Insurance Reform: Security Standards; Final Rule

Federal Commercial Encryption Export Controls

IRM-004, Information Security of University Technology Resources

IRM-017, Records Management

STU-002, Rights of Students at the University of Virginia Pursuant to the Family

Educational Rights and Privacy Act

University of Virginia Registrar’s guidance on FERPA

Federal regulations including but not limited to the following:

  • The Family Educational Rights and Privacy Act (“FERPA”, also referred to as the "Buckley Amendment"), 20 U.S.C. §1232g;
  • The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104-191 and implementing regulations issued by the U.S. Department of Health and Human Services including Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164 (“Privacy Rule”);
  • The Gramm-Leach-Bliley Act (“GLBA”) 15 U.S.C §6801 et seq, and implementing regulations issued by the Federal Trade Commission including Standards for Safeguarding Customer Information (the "Safeguards Rule”), 16 CFR Part 314; and The Privacy Act of 1974, 5 U.S.C. § 552a (2000).

Commonwealth of Virginia laws including but not limited to:

Health Records Privacy Act, Va. Code 32.1-127.1:03

University-provided Software for Locating Personal Information

Responsible Computing for Faculty and Staff Handbook

Medical Center Policy No. 0201 Patient Identification

Medical Center Policy No. 0253 Verification for Release of Patient Information

School of Medicine Policies:

1.430. Required HIPAA Privacy Training 
1.431. Violations of Confidentiality
  

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. 104-191 and implementing regulations issued by the U.S. Department of Health and Human Services including Standards for Privacy of Individually Identifiable Health Information, 45 CFR  Parts 160 and 164 (“Privacy Rule” ) and 42 CFR 431.305.

Institutional Review Board for Health Sciences Research:  Medical Record Review

Major Category: Information Resource Management
Next Scheduled Review: 10/23/2020
Approved by, Date: Policy Review Committee, 06/27/2017
Supersedes (previous policy):
IRM-004, Electronic Data Removal; IRM-014, Protection and Use of Social Security Numbers; IRM-015, Electronic Storage of HIghly Sensitive Data; Administrative Data Access; Appendix A (Data Classifications); Appendix B (Data Roles and Responsibilities); Information Release (Requests for Electronically Stored Information).