IRM-004: Electronic Data Removal

Date: 02/01/2008 Status: Final
Last Revised: 09/17/2013
Policy Type: University
Oversight Executive: Chief Information Officer
Applies To: Academic Division, the Medical Center, the College at Wise, and University-Related Foundations.
Table of Contents:

Policy Statement
Procedures

Reason for Policy:

The purpose of this policy is to minimize the risks of exposing electronic data to individuals unauthorized to view these data and transferring software to those not licensed to use it. This policy is essential to compliance with state and federal data privacy statutes and with software licensing agreements.

Definition of Terms in Statement:
  • Electronic Devices:

    Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, etc.

  • Electronic Media:

    All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).

Policy Statement:

All software and data files must be removed by University-approved procedures from electronic devices and electronic media that are surplussed, returned to a leasing company, or transferred from one University employee to another employee having different software and data access privileges. When electronic devices are sent outside the University for repair, all data must be either encrypted or removed.

Procedures:

The approved procedures for software and data removal from electronic devices and media are:

  1. Electronic devices or hard drives permanently leaving the University must be disposed of following the designated surplus solution, with the exception of devices returned to a leasing company, from which all software and data files must be removed.

  2. Electronic devices or hard drives temporarily leaving the University for repair must have their data encrypted or removed.

  3. Electronic devices or media being transferred within the University (between departments or employees having different software and data access privileges) must have their data removed.

  4. Disposal of electronic media other than hard drives must be by destruction.

See Electronic Data Removal Procedural Details.

Related Information:

Procurement and Supplier Diversity Services Surplus Procedure

In addition to being a widely-accepted security and privacy practice, effective data removal is required by state and federal regulations. See:

Gramm-Leach-Bliley Act of 1999, Standards for Safeguarding Customer Information; Final Rule

Health Insurance Portability and Accountability Act of 1996 Health Insurance Reform: Security Standards; Final Rule

Federal Commercial Encryption Export Controls

IRM-017, Records Management

Policy Background:

The consequences of unauthorized release of sensitive data are increasing due to Commonwealth of Virginia and federal regulations and growing public concern over privacy and identify theft. In addition, the University is bound by software licensing agreements not to allow unauthorized software use. Without this policy, the risks of data exposure and unauthorized software use would be significant given that:

  • Electronic devices and media sent to Surplus Property are sold or donated to non-profit groups and the general public.
  • Electronic devices are returned to leasing companies when leases expire.
  • Electronic devices and media are sometimes transferred from one employee to another within the University, even when their job functions and accompanying software and data access privileges differ.

These are unacceptable risks for the University.

Major Category: Information Resource Management
Next Scheduled Review: 09/17/2016
Approved by, Date: Executive Vice President and Chief Operating Officer, 11/26/2004
Revision History: 9/17/13, 9/21/12, 4/14/11, 2/1/08: Minor word changes; procedural changes.