Data Storage Media Disposal Policy


Policy Subject: Data Storage Media Disposal Policy

Cabinet Division: Provost

Date Revised: 10/2005

I. Background and Purpose

This policy ensures compliance with legal requirements to keep data secure while disposing of surplus information technology equipment containing data storage devices.

II. Constraints

The Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require protection of the security and confidentiality of specific types of personal information. Section 19.65, Wisconsin Statutes, requires state agencies develop rules of conduct for employees who are involved in collecting, maintaining, using, providing access to, sharing, or archiving personally identifiable information. UW System Board of Regents Policy Document 97-2, the Policy on Use of University Information Technology Resources, requires UW institutions to take reasonable precautions to protect electronic documents containing private and confidential information.

III. Definitions

Data storage media - anything which stores digital information that can be retrieved. Examples of data storage media include computer hard drives, floppy disks, CDs, DVDs, data tapes, flash drives, and memory cards.

IV. Policy Statements

UW-Superior applies methods identified in "UW Procedures and Methods for Removing Data from Surplus Computers" (January 2005) to prevent access to personal information contained on university data storage media when that media is disposed. The methods approved for use at UW-Superior are two of those identified as "effective removal methods": wiping and destruction.

V. Policy Procedures

Wiping: is the process of writing data over the hard drive, such that any data stored on the drive are overwritten by the new data and may not be retrieved. Software in compliance with DoD 5220.22-M standards is required for this process. Wiping may be carried out at UW-Superior or at a certified technology recycling facility within the University of Wisconsin System, such as UW-Madison SWAP.

Destruction: is the physical demolition of the data storage media to render it unusable. The National Industrial Security Program Operating Manual used by national security agencies defines "destroy" as "to disintegrate, incinerate, pulverize, shred, or melt the equipment." The following specific techniques are required for specific media:

  • Hard disk drives, flash drives, memory cards - strike with a heavy object until the drive is verified inoperable. Scraping away recording media with a sharp object on hard disk platters is an acceptable alternative.
  • CDs, DVDs, floppy disks, data tapes - shred or break into multiple pieces.

VI. Compliance

Compliance with this policy is the responsibility of the unit directors of Information and Instructional Technology Services.