Electronic Data Disposal Policy

Policy

Purpose:

Data confidentiality is an issue of legal and ethical concern. The purpose of this policy is to provide for proper cleaning or destruction of sensitive/confidential data and licensed software on all computer systems, electronic devices and electronic media being disposed, recycled or transferred either as surplus property or to another user.

Applies to:

University employees (e.g., faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of University data, information and records in electronic form during the course of conducting University business (administrative, financial, teaching, research or service).

Campus:

Lawrence

Policy Statement:

The University of Kansas requires that before any computer system, electronic device or electronic media is disposed, recycled or transferred either as surplus property or to another user, the system, media or device must be either:

properly sanitized of University sensitive/confidential data and software, or
properly destroyed.

Any official University records must be appropriately retained / disposed of based on the University’s records retention policy prior to erasure or destruction of the system, device or media.

Electronic media must be sanitized following the guidelines in NIST Special Publication 800-88, “Guidelines for Media Sanitization”. The specific procedures and requirements to be followed when cleaning or destroying computer systems, electronic devices and electronic media are found in the Electronic Data Disposal Procedure document.

Consequences:

Faculty, staff and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this university policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

Contact:

Office of the Chief Information Officer
1001 Sunnyside Avenue
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

Approved by:

Provost and Executive Vice Chancellor

Approved on:

Thursday, August 14, 2008

Effective on:

Thursday, August 14, 2008

Review Cycle:

Annual (As Needed)

Definitions:

These definitions apply to these terms as they are used in this document.

Sanitization (of computer hard drives)	Removing data on a system through one or more various methods that may include overwriting or erasing data utilizing the methods described in NIST Special Publication 800-88.
Degaussing	Process by which storage media is subjected to a powerful magnetic field to remove the data on the media.

Keywords:

Secure data disposal, electronic shredding, erasing media, data removal, discarding computers, data wipe, media sanitization

Change History:

01/26/2022: Updated contact section.
11/17/2014: Policy formatting cleanup (e.g., bolding, spacing).
08/17/2010: Updated to reflect NIST Guidelines for Media Sanitization.

Information Access & Technology Categories:

Privacy & Security