Electronic Data Removal Policy Procedural Details

[Nov 23, 2009 10:11] Windows Live student email is currently unavailable. ITC is working with Microsoft to develop a solution.

This page provides the details for the procedures referenced by the University Electronic Data Removal Policy.

Electronic Data Removal Procedures

Note: Any electronic devices or media awaiting processing under these procedures must be securely stored, for example, in a locked closet, office or drawer, and should never be left unattended in a public area.

  1. Electronic devices or hard drives permanently leaving the University must be disposed of following the designated surplus solution, with the exception of devices returned to a leasing company, from which all software and data files must be removed.
    • Academic and administrative departments within Agency 207 and University foundations should follow the procedure described in Procurement's Computer Surplus Procedure.
    • Agency 209 (Health System) departments should follow the procedure described at HS/CS Equipment Surplus Procedures.
    • Departments at the University of Virginia’s College at Wise (Agency 246) should contact the Helpdesk at ext. 4509 for replacement and/or removal of all electronic computing devices or hard drives.
    • Devices returned to a leasing company should have all software and data files removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on VITA's page on Removing Data. The software must be configured to overwrite data at least three times.
  2. Electronic devices or hard drives temporarily leaving the University for repair must have their data encrypted or removed.
    • If the storage component of the device is functioning, all data should be either
      • Encrypted using a 256-bit or larger key, or
      • Removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on VITA's page on Removing Data.
    • If the storage component of the device is non-functioning, it must be either
      • Removed and processed as described under items 1. or 4.
      • Degaussed (concept as explained by Wikipedia)
    • If the purpose of the repair is to recover lost data from the device, please contact the IT Security and Policy Office at it-policy@virginia.edu for approval to proceed.

    Note: This requirement may interfere with warranty replacement of dead hard drives. Vendors usually require the return of a dead hard drive, but such a drive cannot be accessed to remove or encrypt data. Departments are encouraged to negotiate “no return required” clauses on hard-drive warranties (see, for example, Dell's offering). Otherwise, departments may have to replace dead drives at cost outside of warranty coverage.

  3. Electronic devices or media being transferred within the University (between departments or employees having different software and data access privileges) must have their data removed.
    • Data must be removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on VITA's page on Removing Data.
  4. Disposal of electronic media other than hard drives must be by destruction.
    • Items such as magnetic tapes, diskettes, CDs, DVDs and USB storage devices must be physically destroyed by degaussing, shredding or smashing, so that the data-containing component is unreadable, before the item is disposed of via trash or recycling.
  5. Highly sensitive data must be deleted using secure methods as soon as they are no longer required.
    • Highly sensitive data should be securely deleted using one of the methods described in Secure Data Deletion or equivalent.

Note: Any request for policy exceptions should go to the IT Security and Policy Office at it-policy@virginia.edu.

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.