Disposal of Electronic Equipment Policy

1. Program Scope and Purpose

Palo Alto University requires that before any computer system, electronic devices or electronic media is disposed, recycled or transferred to another user, the system, media or device must be either:

  • properly sanitized of sensitive/confidential data and software, or
  • properly destroyed.

Any official records must be appropriately retained / disposed of based on the University’s records retention policy prior to erasure or destruction of the system, device or media.

Electronic media must be sanitized following the guidelines in NIST Special Publication 800-88, “Guidelines for Media Sanitization”

 

2. Overview 

When a file is deleted, the operating system does not completely remove the file from the disk; rather, the file deletion removes only the reference to the file from the file system table. The file remains on the disk until a subsequent file is created over the original file. However, even after the file is overwritten, it is possible to recover data from the original file by studying the magnetic fields on the disk platter surface if the drive was manufactured before 2001. This is referred to as a “laboratory attack”.

Other drives may contain data that can be retrieved with specialized software. This is referred to as “deleted file retrieval”. The only way to prevent these kinds of inadvertent file sharing or file access is to appropriately clean (e.g., sanitize) the hard drive or other media by performing a data wipe or over-write, or to physically destroy the hard drive or other media before it reaches its next owner or destination. The required procedures for performing a data wipe or over-write, or for physically destroying the hard drive or other media, are set forth below.

Overwriting Hard Drives or other Media

The sanitization method for the media depends on the information stored on the media, the age of the media, and on its next destination. The following table should help decide how to handle a particular computer or device.

NIST Special Publication 800-88, “Guidelines for Media Sanitization”, defines the terms and methods for sanitizing hard drives and other media.

Clearing: Overwriting the media

Purging: Magnetic erasure of the media

Destruction: Physical destruction of the media

Examples of Sensitive and Confidential Information include, but are not limited to, the following data types:

  • Social Security Numbers
  • Student educational records
  • Health care records
  • Bank account and other financial information
  • Research data
  • Personnel data
  • Other confidential or sensitive University business information
  • Proprietary software

If you need assistance removing data, or if you are not sure whether the data stored on a device is Sensitive or Confidential, please contact the Department of Information Technology at 650-433-3839 or support@paloaltou.edu

New Location of Device

Data stored on Device

Recommendation

Same department

No Sensitive/Confidential data

Reformat or reimage

Another department or unit

No Sensitive/Confidential data

Reformat or reimage

Same department to staff with access to same information

Sensitive/Confidential data

Reformat or reimage

Same department to staff with lower access (or student worker)

Sensitive/Confidential data

Clear

Another department or unit

Sensitive/Confidential data

Clear

Recycling or disposal (including surplus)

All data

Clear

Drive manufacture date prior to 2001 or unknown

Sensitive/Confidential data

Purge

Non-functioning media

All data

Purge (magnetic); Destroy (solid state)

 

The most current research on data retrieval indicates a single pass of random data or zeros (Clearing) is all that is required to sanitize a functioning hard drive manufactured after 2001. Clearing the drive prevents deleted file retrieval. Laboratory attacks are not possible on modern hard drives.

3. Physical Destruction of Hard Drives or other Media

If the computer system, electronic device, or electronic media will not be reused, physical destruction is an acceptable method of disposing of the University data. Individuals desiring to have a computer system, electronic device, or electronic media destroyed may contact the Department of Information Technology at 650-433-3839 or email support@paloaltou.edu  to arrange for drop-off or pick-up of their eWaste. Hard Drives that are sent to e-waste will receive a certificate of destruction to confirm the media was destroyed.

 

4. Violations of improper disposal of electronic equipment

Faculty, staff, and/or student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

 

Contacts

SUBJECT

CONTACT

TELEPHONE

FAX

E-MAIL

Disposal of electronic equipment policy

Information Technology

650-433-3832

 

support@paloaltou.edu

History

Created:

May 9, 2019 by David Leavitt

Revised: 

 
 
 
Created by potrace 1.15, written by Peter Selinger 2001-2017