Data Sanitization and Disposal Policy

Policy number 12-05
Responsible office Information Technology
Enforcement official
Enforcement official
Campus Information Security Committee
Classification Board of Trustees-delegated Policy
Category Information Technology and Data Security

Statement of policy

What must be done before equipment is cascaded, surplused or discarded.

Summary of contents/major changes

Purpose

Digital storage devices which contain licensed software programs and/or institutional data must be reliably erased and/or destroyed before the device is transferred out of University control, or erased before being transferred from one University department or individual to another.  Western Michigan University is committed to compliance with federal statutes associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.

Scope

All employees of Western Michigan University have a responsibility to ensure the confidentiality of University information residing on the computer systems and other digital storage devices as well as any non-reusable media they use, whether it be University or personally owned.

All computers and digital storage devices including, but not limited to desktop workstation, laptop, server, notebook, tablet, and handheld computer hard drives; external hard drives; and all external data storage devices such as disks, flash drives, DVD, and CD, are covered under the provisions of this policy.

Procedure statements

  • All electronic storage media should be sanitized when it is no longer necessary for business use, provided that the sanitization does not conflict with University data retention policies.
  • All electronic storage media should be sanitized prior to sale, donation or transfer of ownership.  A transfer of ownership may include transitioning media to someone in your department with a different role, relinquishing media to another department, or replacing media as part of a lease agreement.
  • All University employees are responsible for the sanitization of non-reusable electronic media before disposal. Similar to shredding paper reports, CDs and other non-rewritable media should be destroyed before disposal.
  • Deans, directors and department heads are responsible for the sanitation of all WMU owned electronic devices and computer systems in their units prior to removal from a department or the campus. This responsibility may be delegated within the college as deemed appropriate.
  • Any disposal of computer equipment and media storage devices must comply with all surplus disposal procedures as defined by the logistical services department.

NOTE: When removing sensitive information, do not forget storage devices such as thumb drives, back-up external hard drives and CDs. Also, be sure to erase any stored names and numbers from phones and fax machines.

Enforcement

Any person found to be in violation of this procedure will be subject to appropriate disciplinary actions as defined by current University policy and/or collective bargaining agreements.

Related Links

References
History
Effective date of current version October 1, 2011
Proposed date of next review October 1, 2019