Electronic Data Removal Procedures
Table of Contents
1. Purpose and Background
a) Destruction of Official University Records
b) Secure Deletion of Highly Sensitive Data
c) Storage of Electronic Devices or Media Awaiting Removal from Service
d) Permanent Removal from Service
e) Temporary Removal from Service
f) Electronic Media Requiring Physical Destruction Prior to Disposal
h) Secure Deletion
4. Related Links
5. Further Guidance
1. Purpose and Background
The purpose of these procedures and their associated standard is found in the Electronic Data Removal Standards, and its associated Data Protection of University Information (IRM-003) policy . These procedures and their associated University Data Protection Standards and its Data Protection of University Information (IRM-003) policy apply to all non-student users.
Destruction of Official University Records
If destroying data that (1) is the official record for the University, (2) does not exist elsewhere, or (3) may or may not have met the required retention, please comply with the University Records Management Policy by completing of a Certificate of Records Destruction (RM3) form or contacting the Records Management Office for guidance.
Secure Deletion of Highly Sensitive Data
Highly sensitive data (HSD) stored on electronic devices or media must be deleted once these data are longer required, using one of the appropriate methods described in the Secure Deletion section below.
Storage of Electronic Devices or Media Awaiting Removal from Service
When unattended by authorized personnel or unencrypted, any electronic device or media awaiting processing under these procedures and the associated standard must be stored within a locked cabinet, closet, safe, or drawer, and within in a controlled access building or office (building or office access must be badge or key-controlled and/or staffed by personnel who function in a security role). Storage of such electronic devices or media must be kept to a minimum, and keys or badges allowing access to them must never be accessible to unauthorized personnel.
Permanent Removal from Service
University-owned electronic devices and media must be surplussed promptly following removal from service and prior to permanently leaving the University. Procedures for University-owned devices and media to be surplussed vary by department and/or campus, as outlined below.
Academic and Administrative Departments within Agency 207, University Foundations:
These areas must follow the procedure described in Facilities Management's Computer Surplus Procedure for surplussing University-owned electronic devices and media. Items such as solid state drives (SSDs) or containing SSDs that are being surplussed, the SSD must be rendered unreadable by shredding or crushing so that the data-containing component is unreadable. Such items may not be re-used.
Agency 209 (Health System) Departments:
These departments must follow the procedure described within the Health Information and Technology Surplus and Destruction of Storage Devices Standard (requires login).
Departments at the University of Virginia’s College at Wise (Agency 246):
These departments must contact the Helpdesk at extension 4509 for the appropriate surplus procedure.
Devices Returned to a Leasing Company:
Data files and software on devices being returned to a leasing company must be securely removed by a software tool that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information. A disk “initialization” is not sufficient. Examples of such software solutions are listed elsewhere in this document under the heading Secure Deletion.
The person removing the software, data, and files to the leasing company must document the removal as follows:
- All files are securely deleted by overwrite all data at least three times and then deleting. In the case of solid state drives, the built-in Internal Secure Erase function must be used. In addition, when it's complete, the whole disk encryption must be enabled and the password NOT given to the leasing company.
- Record the date, indicate that the device has been wiped per the Data Protection of University Information standards and procedures, and write and sign your name.
- Keep this signed record of this destruction in a secure location for subsequent audit purposes.
Temporary Removal from Service
- Device data must be encrypted or securely deleted, and
- If devices need to be shipped, employees must ensure that they are shipped both ways with signature of receipt and tracking (e.g., via USPS, UPS or FedEx ground).
If the Storage Component of the Device is Functioning, and the Device is Being Sent Within the University for Re-use or Repair:
For electronic devices or media being transferred between departments or employees having different software and data access privileges, all data must be securely removed from devices or media. This must occur before transfer or within two weeks of the transfer, if the device isn't put back into service immediately.
- All data on the device must be removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is not sufficient. Examples of such software are listed below under the heading Secure Deletion.
Note: If the electronic device or media has a solid-state drive (SSD), it must be securely wiped using its internal Secure Erase function ONLY if it is being transferred within the University.
Otherwise the SSD must be physically destroyed. The internal Secure Erase function is most effective when the SSD has been previously whole-disk encrypted.
If the Storage Component of the Device is Non-Functioning, and the Device is Being Sent to a Vendor for Repair:
- Employees must use a UVa Procurement purchase order (PO), not a purchasing card or other means of payment. A PO includes UVA's Purchasing Terms and Conditions (T&Cs), to which the vendor must agree. These T&Cs stipulate that data are covered by the University's Data Protection Addendum and Business Associate Addendum (which covers potential HIPAA or PHI data). Employees should contact UVA Procurement or email it‑[email protected] for information on vendors currently known to accept this process and/or with any questions about how to proceed.
- Employees must ensure that the device is shipped both ways with signature of receipt and tracking (e.g., via USPS, UPS or FedEx ground) and signed date and time of receiving the electronic device or media.
Note: This requirement may interfere with warranty replacement of dead hard drives. Vendors usually require the return of a dead hard drive, but such a drive cannot be accessed to remove or encrypt data. Departments are encouraged to negotiate “no return required” clauses on hard-drive warranties. Otherwise, departments may have to replace dead drives at cost outside of warranty coverage.
If the Storage Component of the Device is Non-Functioning, and the Device is Being Sent to Cavalier Computing for Repair:
If the device is not hand-delivered by the employee to whom the device is assigned, employees must ensure that the device is shipped both ways with signature of receipt and tracking (e.g., via USPS, UPS or FedEx ground) and signed date and time of receiving the electronic device or media.
If the Storage Component of the Device is Non-Functioning, and the Device is Not Being Sent for Repair:
Electronic Media Requiring Physical Destruction Prior to Disposal
Disposal of some electronic media must occur by physical destruction. Items such as magnetic tapes, diskettes, CDs, DVDs, solid state drives (SSDs), and USB storage devices must be made unreadable by shredding, smashing, or dimpling, so that the data-containing component is unreadable, before the item is disposed of via trash or recycling.
Highly sensitive data (HSD) must be deleted once no longer required using one of the appropriate secure methods described below or an equivalent. Questions regarding equivalent methods should be directed the University Information Security office by emailing [email protected].
Secure Delete for Macintosh
For Macintosh OS-X, version 10.10 and earlier computers, the Secure Delete feature is included within the operating system. To access this feature, go to Finder, select "Secure Empty Trash..." which is immediately below "Empty Trash..." from the Finder menu, and click OK. Note: If there is nothing in the Trash, the menu item is grayed-out.
OS-X version 10.11 (El Capitan) and subsequent versions no longer have a Secure Delete option because all recent Macintosh computers have a solid-state drive (SSD), and it has been proven that overwriting and deleting SSDs is not completely secure. Therefore, if such a Macintosh computer has been approved for storage of HSD, then whole disk encryption, called FileVault, must be used. File deletion will then be secure because the files are encrypted.
Secure Delete for Windows
Secure deletion/shredding software must be used for irreversible, secure removal of data. Windows Recycle Bin does not perform a secure deletion. ITS provides a secure deletion program that may be used, called Secure Deletion Shredder, which puts a new icon on your Desktop. Use this software to destroy files and folders immediately and permanently.
If a Windows computer has been approved for storage of HSD, then Windows whole disk encryption, called BitLocker, must be used to achieve secure deletion.
Other Secure Deletion Software
Data must be removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is not sufficient. If you are not using a Windows or Macintosh computer and/or do not have access to built-in operating system commands, acceptable software alternatives are:
- DBAN's Blancco Drive Eraser (enterprise version free trial request) [DBAN is for non-UVA owned (aka personal) computers]
- Eraser (freeware)
Software programs like these overwrite information on your hard drive with patterns of meaningless data multiple times. The hard drive can be used after this process, but none of the original data will be recoverable. The software must be configured to overwrite data at least three times. This procedure only applies to non-solid-state drives (SSD).
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Data Protection of University Information (IRM-003)
- Electronic Data Removal Standard
- University Data Protection Standards
- UVa Facilities Management Surplus Property
- UVa Procurement's Purchasing Terms and Conditions
- UVa Procurement's Data Protection addendum (PDF)
- UVa Procurement's Business Associate Addendum
- Records Management Policy
5. Further Guidance
- Taking your electronic device or media out of the USA: https://export.virginia.edu/faqs - answer002
- Leaving UVa - computer accounts and University-licensed software
- Faculty Departure Checklist:
- Staff Off-boarding Checklist:
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.