UVa Seal

Policy: Electronic Data Removal 


Date: 02/01/08 Policy ID: IRM-004 Status: Final

Policy Type: University
   
Contact Office: Chief Information Officer (Office of the)
   
Oversight Executive: Chief Information Officer
   
Applies To: 

Academic Division, the Medical Center, the College at Wise, and University-related foundations.

   
Table of Contents: Policy Statement
Procedures
   
Reason for Policy: 

The purpose of this policy is to minimize the risks of exposing electronic data to individuals unauthorized to view these data and transferring software to those not licensed to use it. This policy is essential to compliance with state and federal data privacy statutes and with software licensing agreements.
BACK TO TOP

   
Policy Summary: 
   
Definition of Terms in Statement: 

Electronic Devices: Electronic equipment that has a storage device or persistent memory, including, but not limited to: desktop computers, laptops, tablets, smart phones and other mobile devices, as well as servers, printers, copiers, routers, switches, firewall hardware, etc.

Electronic Media: All media on which electronic data can be stored, including, but not limited to: external hard drives, magnetic tapes, diskettes, CDs, DVDs and USB storage devices (e.g., thumb drives).
BACK TO TOP

   
Policy Statement: 

All software and data files must be removed by University-approved procedures from electronic devices and electronic media that are surplused, returned to a leasing company, or transferred from one University employee to another employee having different software and data access privileges. When electronic devices are sent outside the University for repair, all data must be either encrypted or removed.
BACK TO TOP

   
Procedures: 

The approved procedures for software and data removal from electronic devices and media are:

  1. Electronic devices or hard drives permanently leaving the University must be disposed of following the designated surplus solution, with the exception of devices returned to a leasing company, from which all software and data files must be removed.

  2. Electronic devices or hard drives temporarily leaving the University for repair must have their data encrypted or removed.

  3. Electronic devices or media being transferred within the University (between departments or employees having different software and data access privileges) must have their data removed.

  4. Disposal of electronic media other than hard drives must be by destruction.

See http://www.virginia.edu/informationsecurity/dataremoval for procedural details.

BACK TO TOP

   
Related Information: 

Procurement and Supplier Diversity Services Surplus Procedure

In addition to being a widely-accepted security and privacy practice, effective data removal is required by state and federal regulations. See:

Gramm-Leach-Bliley Act of 1999, Standards for Safeguarding Customer Information; Final Rule

Health Insurance Portability and Accountability Act of 1996 Health Insurance Reform: Security Standards; Final Rule

Federal Commercial Encryption Export Controls

Records Management

BACK TO TOP

   
Policy Background: 

The consequences of unauthorized release of sensitive data are increasing due to Commonwealth of Virginia and federal regulations and growing public concern over privacy and identify theft. In addition, the University is bound by software licensing agreements not to allow unauthorized software use. Without this policy, the risks of data exposure and unauthorized software use would be significant given that:

  • Electronic devices and media sent to Surplus Property are sold or donated to non-profit groups and the general public.
  • Electronic devices are returned to leasing companies when leases expire.
  • Electronic devices and media are sometimes transferred from one employee to another within the University, even when their job functions and accompanying software and data access privileges differ.

These are unacceptable risks for the University.
BACK TO TOP

   
Major Category: Information Resource Management
   
Category Cross Reference: 
   
   
Process: 
   
Next Scheduled Review: 11/26/14
   
Approved By, Date: Executive Vice President and Chief Operating Officer, 11/26/04
   
Revision History: 9/17/13 update, 9/21/12 update; 4/14/11 update; 2/1/08: Minor word changes; procedural changes.
   
Supersedes (previous policy):