Data Storage Media Disposal Policy
UNIVERSITY OF WISCONSIN-SUPERIOR
Policy Subject: Data Storage Media Disposal Policy
Cabinet Division: Provost
Date Revised: 10/2005
I. Background and Purpose
This policy ensures compliance with legal requirements to keep data secure while disposing of surplus information technology equipment containing data storage devices.
II. Constraints
The Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require protection of the security and confidentiality of specific types of personal information. Section 19.65, Wisconsin Statutes, requires state agencies develop rules of conduct for employees who are involved in collecting, maintaining, using, providing access to, sharing, or archiving personally identifiable information. UW System Board of Regents Policy Document 97-2, the Policy on Use of University Information Technology Resources, requires UW institutions to take reasonable precautions to protect electronic documents containing private and confidential information.
III. Definitions
Data storage media - anything which stores digital information that can be retrieved. Examples of data storage media include computer hard drives, floppy disks, CDs, DVDs, data tapes, flash drives, and memory cards.
IV. Policy Statements
UW-Superior applies methods identified in "UW Procedures and Methods for Removing Data from Surplus Computers" (January 2005) to prevent access to personal information contained on university data storage media when that media is disposed. The methods approved for use at UW-Superior are two of those identified as "effective removal methods": wiping and destruction.
V. Policy Procedures
Wiping: is the process of writing data over the hard drive, such that any data stored on the drive are overwritten by the new data and may not be retrieved. Software in compliance with DoD 5220.22-M standards is required for this process. Wiping may be carried out at UW-Superior or at a certified technology recycling facility within the University of Wisconsin System, such as UW-Madison SWAP.
Destruction: is the physical demolition of the data storage media to render it unusable. The National Industrial Security Program Operating Manual used by national security agencies defines "destroy" as "to disintegrate, incinerate, pulverize, shred, or melt the equipment." The following specific techniques are required for specific media:
- Hard disk drives, flash drives, memory cards - strike with a heavy object until the drive is verified inoperable. Scraping away recording media with a sharp object on hard disk platters is an acceptable alternative.
- CDs, DVDs, floppy disks, data tapes - shred or break into multiple pieces.
VI. Compliance
Compliance with this policy is the responsibility of the unit directors of Information and Instructional Technology Services.