IRM-004: Electronic Data RemovalDate: 02/01/2008 Status: Final
The purpose of this policy is to minimize the risks of exposing electronic data to individuals unauthorized to view these data and transferring software to those not licensed to use it. This policy is essential to compliance with state and federal data privacy statutes and with software licensing agreements.
Electronic equipment, whether owned by the University or an individual, that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices, as well as servers (including shared drives), printers, copiers, routers, switches, firewall hardware, etc.
All media, whether owned by the University or an individual, on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices (e.g., thumb drives).
All software and data files must be removed by University-approved procedures from electronic devices and electronic media that are surplussed, returned to a leasing company, or transferred from one University employee to another employee having different software and data access privileges. When electronic devices are sent outside the University for repair, all data must be either encrypted or removed.
Electronic devices or hard drives permanently leaving the University must be disposed of following the designated surplus solution, with the exception of devices returned to a leasing company, from which all software and data files must be removed.
Electronic devices or hard drives temporarily leaving the University for repair must have their data encrypted or removed.
Electronic devices or media being transferred within the University (between departments or employees having different software and data access privileges) must have their data removed.
Disposal of electronic media other than hard drives must be by destruction.
The consequences of unauthorized release of sensitive data are increasing due to Commonwealth of Virginia and federal regulations and growing public concern over privacy and identify theft. In addition, the University is bound by software licensing agreements not to allow unauthorized software use. Without this policy, the risks of data exposure and unauthorized software use would be significant given that:
- Electronic devices and media sent to Surplus Property are sold or donated to non-profit groups and the general public.
- Electronic devices are returned to leasing companies when leases expire.
- Electronic devices and media are sometimes transferred from one employee to another within the University, even when their job functions and accompanying software and data access privileges differ.
These are unacceptable risks for the University.