Highly Sensitive Data

Highly Sensitive Data

Data that require restrictions on access under the law or that may be protected from release in accordance with all applicable laws or regulations, such as Virginia Code § 18.2-186.6. Breach of Personal Information Notification. Highly Sensitive data (HSD) currently include personal information that can lead to identity theft. HSD also includes health information that reveals an individual’s health condition and/or medical history.

Specific examples include, but are not limited to:

  • Any store or file of passwords or user-ids and passwords on any multi-user system or computer.
  • Personal information that, if exposed, can lead to identity theft. This may include a personal identifier (e.g., name, date of birth) as well as one of the following elements:
    • Social security number;
    • Driver’s license number or state identification card number issued in lieu of a driver’s license number;
    • Passport number;
    • Financial account number in combination with any required security code, access code, or password that would permit access to a financial account;
    • Credit card or debit card number, including any cardholder data in any form on a payment card; or
    • Military Identification Number.
  • Health information, which is any information that, if exposed, can reveal an individual’s health condition and/or history of health services use, including information defined by Health Insurance Portability and Accountability Act (HIPAA) as protected health information (PHI).
  • Cardholder Data (CHD): Primary cardholder account number that identifies the issuer and a particular cardholder account, which can include cardholder name, expiration date and/or service code.

Note: Credit card numbers must never be stored either alone or in combination with any other identifiers.

Also considered HSD are any form of personally identifying information in combination with social security number (SSN), driver’s license number, passport number, financial account number and required security code, and/or military ID number. For example, computing ID and driver’s license number, or home address and SSN.

Policy # Policy Title
HRM-025 Professional Service and External Consulting for University Staff Employees
IRM-003 Data Protection of University Information
SEC-037 Networks, Systems, and Facilities Access & Revocation and the Issue & Return of Tangible Personal Property