Disposal of Electronic Equipment Policy
1. Program Scope and Purpose
Palo Alto University requires that before any computer system, electronic devices or electronic media is disposed, recycled or transferred to another user, the system, media or device must be either:
- properly sanitized of sensitive/confidential data and software, or
- properly destroyed.
Any official records must be appropriately retained / disposed of based on the University’s records retention policy prior to erasure or destruction of the system, device or media.
Electronic media must be sanitized following the guidelines in NIST Special Publication 800-88, “Guidelines for Media Sanitization”.
2. Overview
When a file is deleted, the operating system does not completely remove the file from the disk; rather, the file deletion removes only the reference to the file from the file system table. The file remains on the disk until a subsequent file is created over the original file. However, even after the file is overwritten, it is possible to recover data from the original file by studying the magnetic fields on the disk platter surface if the drive was manufactured before 2001. This is referred to as a “laboratory attack”.
Other drives may contain data that can be retrieved with specialized software. This is referred to as “deleted file retrieval”. The only way to prevent these kinds of inadvertent file sharing or file access is to appropriately clean (e.g., sanitize) the hard drive or other media by performing a data wipe or over-write, or to physically destroy the hard drive or other media before it reaches its next owner or destination. The required procedures for performing a data wipe or over-write, or for physically destroying the hard drive or other media, are set forth below.
Overwriting Hard Drives or other Media
The sanitization method for the media depends on the information stored on the media, the age of the media, and on its next destination. The following table should help decide how to handle a particular computer or device.
NIST Special Publication 800-88, “Guidelines for Media Sanitization”, defines the terms and methods for sanitizing hard drives and other media.
Clearing: Overwriting the media
Purging: Magnetic erasure of the media
Destruction: Physical destruction of the media
Examples of Sensitive and Confidential Information include, but are not limited to, the following data types:
- Social Security Numbers
- Student educational records
- Health care records
- Bank account and other financial information
- Research data
- Personnel data
- Other confidential or sensitive University business information
- Proprietary software
If you need assistance removing data, or if you are not sure whether the data stored on a device is Sensitive or Confidential, please contact the Department of Information Technology at 650-433-3839 or support@paloaltou.edu
|
New Location of Device |
Data stored on Device |
Recommendation |
|
Same department |
No Sensitive/Confidential data |
Reformat or reimage |
|
Another department or unit |
No Sensitive/Confidential data |
Reformat or reimage |
|
Same department to staff with access to same information |
Sensitive/Confidential data |
Reformat or reimage |
|
Same department to staff with lower access (or student worker) |
Sensitive/Confidential data |
Clear |
|
Another department or unit |
Sensitive/Confidential data |
Clear |
|
Recycling or disposal (including surplus) |
All data |
Clear |
|
Drive manufacture date prior to 2001 or unknown |
Sensitive/Confidential data |
Purge |
|
Non-functioning media |
All data |
Purge (magnetic); Destroy (solid state) |
The most current research on data retrieval indicates a single pass of random data or zeros (Clearing) is all that is required to sanitize a functioning hard drive manufactured after 2001. Clearing the drive prevents deleted file retrieval. Laboratory attacks are not possible on modern hard drives.
3. Physical Destruction of Hard Drives or other Media
If the computer system, electronic device, or electronic media will not be reused, physical destruction is an acceptable method of disposing of the University data. Individuals desiring to have a computer system, electronic device, or electronic media destroyed may contact the Department of Information Technology at 650-433-3839 or email support@paloaltou.edu to arrange for drop-off or pick-up of their eWaste. Hard Drives that are sent to e-waste will receive a certificate of destruction to confirm the media was destroyed.
4. Violations of improper disposal of electronic equipment
Faculty, staff, and/or student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
Contacts
|
SUBJECT |
CONTACT |
TELEPHONE |
FAX |
|
|
Disposal of electronic equipment policy |
Information Technology |
650-433-3832 |
|
support@paloaltou.edu |
History
Created:
May 9, 2019 by David Leavitt
Revised: