Table of Contents
1. Purpose and Background
2. Standards
a) Destruction of Official University Records
b) Secure Deletion of Highly Sensitive Data
c) Storage of Electronic Devices or Media Awaiting Removal from Service
d) Permanent Removal from Service
e) Temporary Removal from Service
3. Definitions
4. Related Links
5. Further Guidance
6. Exceptions
1. Purpose and Background
The purpose of this standard and its associated procedures and policy Data Protection of University Information (IRM-003) is to highlight requirements for securely removing data stored on behalf of the University from individual-use devices that are either temporarily or permanently leaving the custody of non-student users to whom they are assigned. This standard and its associated procedures and policy Data Protection of University Information (IRM-003) applies to all non-student users to whom such devices are assigned, including the Academic Division, Medical Center, College at Wise, and University-related Foundations.
2. Standards
Destruction of Official University Records
If destroying data that (1) is the official record for the University, (2) does not exist elsewhere, or (3) may or may not have met the required retention, please comply with the University Records Management Policy by completing of a Certificate of Records Destruction (RM3) form or visit the Records and Information Management website for guidance.
Secure Deletion of Highly Sensitive Data
Highly sensitive data stored on electronic devices or media must be deleted using secure methods once these data are longer required. Highly sensitive data (HSD) must be securely deleted using one of the appropriate methods described in the Secure Deletion section of in the Electronic Data Removal Procedures webpage.
Storage of Electronic Devices or Media Awaiting Removal from Service
When unattended by authorized personnel or unencrypted, any electronic device or media awaiting processing under these standards and the associated procedures must be stored within a locked cabinet, closet, safe, or drawer, and within in a controlled access building or locked office (building or office access must be badge or key-controlled and/or staffed by personnel who function in a security role). Storage of such electronic devices or media must be kept to a minimum, and keys or badges allowing access to them must never be accessible to unauthorized personnel.
Permanent Removal from Service
University-owned electronic devices and media must be surplussed promptly following removal from service and prior to permanently leaving the University. Procedures for University-owned devices and media to be surplussed vary by department and/or campus, as outlined below. Additional required procedures are detailed in the Electronic Data Removal Procedures webpage.
Academic and Administrative Departments within Agency 207, University Foundations:
These areas must follow the procedure described in Facilities Management's Surplus Property Procedures for surplussing University-owned electronic devices and media. Items such as solid state drives (SSDs) that are being surplussed must be rendered unreadable by shredding or crushing so that the data-containing component is unreadable. Such items may not be re-used.
Agency 209 (Health System) Departments:
These departments must follow the procedures described within the Health Information and Technology Equipment Surplus Standard.
Departments at the University of Virginia’s College at Wise (Agency 246):
These departments must contact the Helpdesk at extension 4509 for the appropriate surplus procedure.
Temporary Removal from Service
Required procedures that must be followed for electronic devices or media that will be returned to a leasing company, transferred temporarily to the custody of persons unauthorized to access data stored on the device (e.g., for repair) or transferred within the University are detailed in the Electronic Data Removal Procedures webpage.
3. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- Electronic Data Removal Procedures
- University Data Protection Standards
- UVa Facilities Management Surplus Property
- UVa Procurement's Purchasing Terms and Conditions
- UVa Procurement's Data Protection addendum (PDF)
- UVa Procurement's Business Associate Addendum
- Records Management Policy
5. Further Guidance
- Taking your electronic device or media out of the USA:https://export.virginia.edu/faqs - answer002
- Leaving UVa - computer accounts and University-licensed software
- Faculty Departure Checklist: https://provost.virginia.edu/academic-policies/faculty-departure-checklist-pdf
- Staff Off-boarding Checklist: https://hr.virginia.edu/careers-uva/onboarding-offboarding/
- Transfering Assets: FIN-013: Permanent Transfer of Equipment Assets to or from the University
6. Exceptions
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.