Electronic Data Removal Procedure

Electronic Data Removal Procedure

(Effective November 9, 2010)

Note: Any electronic devices or media awaiting processing under these procedures must be securely stored and should never be left unattended in a public area.  During transport electronic media must be secured and in the possession of an appropriate data custodian or technician at all times.

1. Electronic devices or hard drives permanently leaving the University must be disposed of following the IT Equipment Surplus Procedure with the exception of devices returned to a leasing company, from which all software and data files must be removed.
   • Devices returned to a leasing company should have all software and data files removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on VITA’s page on Removing Data. The software must be configured to overwrite data at least three times.
2. Electronic devices or hard drives temporarily leaving the University for repair must have their data encrypted or removed.
   • If the storage component of the device is functioning, all data should be either
     • Encrypted using a 256-bit or larger key, or
     • Removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on VITA’s page on Removing Data.
   • If the storage component of the device is non-functioning, it must be either
     • Removed and processed as described above
     • Degaussed (concept as explained by Wikipedia)
       • Note: Degaussing may or may not violate a particular warranty.
   • If the purpose of the repair is to recover lost data from the device, please contact the UMW ISO for approval to proceed.

Note: This requirement may interfere with warranty replacement of dead hard drives. Vendors usually require the return of a dead hard drive, but such a drive cannot be accessed to remove or encrypt data. IT Business Office should negotiate and purchase “no return required” clauses on hard-drive warranties.   Otherwise, IT or other departments may have to replace dead drives at cost outside of warranty coverage.

1. Electronic devices or media being transferred within the University (between departments or employees having different software and data access privileges) must have their data removed.

• Data must be removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on VITA’s page on Removing Data.

1. Disposal of electronic media other than hard drives must be by destruction.
   • Items such as magnetic tapes, diskettes, CDs, DVDs and USB storage devices must be physically destroyed by degaussing, shredding or smashing, so that the data-containing component is unreadable, before the item is disposed of via trash or recycling.

• Highly sensitive data must be deleted using secure methods as soon as they are no longer required.  Per the Electronic Storage of Highly Sensitive Data Policy, highly sensitive data cannot be stored on desktop computers, laptop computers, PDAs, cell phones, USB drives, thumb drives, memory cards, CDs, DVDs, local external hard drives and other USB devices without an approved written exception by the agency head.  If an exception request is granted, the data must be encrypted when stored and must be securely deleted using an acceptable method per the ISO.  Contact the ISO for assistance.

Note: Any request for exceptions to this procedure should go to the UMW ISO.