Digital Strategy and Infrastructure (DSI) Technical Procedure: Electronic Data Removal
Digital Storage Media
Hard drives permanently leaving Albright College:
Hard drives will be wiped to the DOD 7 pass data wipe standard.
After the drive is wiped using DOD 7 pass, the serial number will be recorded in the Computer and HD Retirement Records and the drive will be stored in the IT Services server room until picked up for recycling.
In cases where the hard drive has not been removed from a case, the serial number of the device containing the hard drive will be recorded in the Computer and HD Retirement Records.
Hard drives that cannot be wiped using the DOD 7 pass data wipe standard due to hardware malfunction will be labeled for permanent destruction and will be stored in the secure cabinet in the setup room until they can be given to a hard drive destruction company to be physically destroyed.
The hard drive destruction company will provide documented proof of the serial numbers of the hard drives picked up and the method used for hard drive destruction.
Exception: Occasionally Albright donates outdated computers to outside organizations. Under these conditions hard drives that have been wiped to the DOD 7 Pass standard, can be reinserted into a computer for donation rather than being recycled.
Digital devices or media being transferred within Albright College (between departments or employees having different software and data access privileges) must have their data removed.
The hard drive will have its data wiped to the DOD 7 pass data wipe standard before the computer is reimaged and redistributed for use.
Tablets and Cell phones will have their data removed using either a vendor supplied data removal tool or a third party data removal application.
Disposal of digital media other than hard drives
Smartphones and Tablets will have their serial numbers recorded in the Computer and HD Retirement Records
Items such as magnetic tapes, diskettes, CDs, DVDs and USB storage devices, tablets, cell phones must be physically destroyed by degaussing, shredding or smashing, so that the data-containing component is unreadable, before the item is disposed of via trash or recycling.
Exception: If a vendor includes a reliable, secure method for removing all data from a device, that procedure can be used instead of physical destruction.
Note: Any electronic device or media received by IT Services for retirement, redistribution, or destruction which has not had its data securely wiped using an approved method must be stored in a secure location. Computers with hard drives still within them and other large objects that contain storage media will be stored in the server room. Hard drives and small devices that contain storage media will be stored in a secure cabinet in the Center for Computing and Mathematic Room 201. Any request for exceptions to this procedure should go to the Albright College CIO or CIO designated Electronic Data Removal Steward.
Data Elements Stored in an Enterprise System
Data elements eligible for removal per Albright’s Data Retention Policy will be identified and expunged per the following guidelines through automated and where necessary manual processes:
Databases and Application Systems
Data elements in systems that allow for full removal of eligible data will be removed using the system interface, if available, to ensure full deletion of the information.
Data elements that are in systems or databases that do not have a built in interface for deletion or where the data becomes eligible in a piecemeal fashion will be removed manually to delete information from these systems
Backups of data elements held within these systems will be passively expunged. The backups as part of their natural life cycle will have the contents removed based on the backup retention policy of the system.
Exceptions to Data removal/destruction
We will record the unique identifying index of a record along with the classification of the data as well as the data deleted to maintain a record of action taken.
Data elements required for the execution of Albright’s responsivities as a higher education institution will be maintained permanently ( e.g. Course Information to support the verification of a degree and provision of transcripts.)
APPROVALS AND REVISIONS
Approved by Chief Technology Officer, June 6, 2012
Approved by Chief Information Officer, March 1, 2018
For a printable copy of this procedure, click here.