Search Information Security site

 

Electronic Data Removal Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) Destruction of Official University Records
     b) Secure Deletion of Highly Sensitive Data
     c) Storage of Electronic Devices or Media Awaiting Removal from Service
     d) Permanent Removal from Service
3.  Definitions
4.  Related Links
5.  Further Guidance
6.  Exceptions

[Return to Library]

1. Purpose and Background

The purpose of this standard and its associated procedures and policy Data Protection of University Information (IRM-003) is to highlight requirements for securely removing data stored on behalf of the University from individual-use devices that are either temporarily or permanently leaving the custody of non-student users to whom they are assigned.  This standard and its associated procedures and policy Data Protection of University Information (IRM-003) applies to all non-student users to whom such devices are assigned, including the Academic Division, Medical Center, College at Wise, and University-related Foundations.

2. Standards

Destruction of Official University Records

If destroying data that (1) is the official record for the University, (2) does not exist elsewhere, or (3) may or may not have met the required retention, please comply with the University Records Management Policy by completing of a Certificate of Records Destruction (RM3) form or contacting the Records Management Office for guidance.

Secure Deletion of Highly Sensitive Data

Highly sensitive data stored on electronic devices or media must be deleted using secure methods once these data are longer required. Highly sensitive data (HSD) must be securely deleted using one of the appropriate methods described in the Secure Deletion section of in the Electronic Data Removal Procedures webpage.

Storage of Electronic Devices or Media Awaiting Removal from Service

When unattended by authorized personnel or unencrypted, any electronic device or media awaiting processing under these standards and the associated procedures must be stored within a locked cabinet, closet, safe, or drawer, and within in a controlled access building or locked office (building or office access must be badge or key-controlled and/or staffed by personnel who function in a security role).  Storage of such electronic devices or media must be kept to a minimum, and keys or badges allowing access to them must never be accessible to unauthorized personnel.

Permanent Removal from Service

University-owned electronic devices and media must be surplussed promptly following removal from service and prior to permanently leaving the University.  Procedures for University-owned devices and media to be surplussed vary by department and/or campus, as outlined below.  Additional required procedures are detailed in the Electronic Data Removal Procedures webpage.

Academic and Administrative Departments within Agency 207, University Foundations:

These areas must follow the procedure described in Procurement's Computer Surplus Procedure for surplussing University-owned electronic devices and media.  Items such as solid state drives (SSDs) that are being surplussed must be rendered unreadable by shredding or crushing so that the data-containing component is unreadable.  Such items may not be re-used.

Agency 209 (Health System) Departments:

These departments must follow the procedure described within the Health Information and Technology Surplus and Destruction of Storage Devices Standard.

Departments at the University of Virginia’s College at Wise (Agency 246):

These departments must contact the Helpdesk at extension 4509 for the appropriate surplus procedure.

Temporary Removal from Service

Required procedures that must be followed for electronic devices or media that will be returned to a leasing company, transferred temporarily to the custody of persons unauthorized to access data stored on the device (e.g., for repair) or transferred within the University are detailed in the Electronic Data Removal Procedures webpage.

[Table of Contents]

3. Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Further Guidance

  • Taking your electronic device or media out of the USA:

https://export.virginia.edu/faqs - answer002

http://www.virginia.edu/provost/facultyexit.pdf

  • Staff Off-boarding Checklist: 

http://www.hr.virginia.edu/other-hr-services/hr-consulting-services/toolkits/offboarding-toolkit/

[Table of Contents]

6. Exceptions 

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form