Sanitization of Digital Storage Media Standard
The University has an obligation to protect certain confidential information, such as personally identifiable information and protected health information, against unauthorized access due to the risk of harm such access might bring to the institution or to individuals. A digital storage device containing confidential information presents an opportunity for breach when it is removed from a context in which that information is being managed, unless the confidential information it contains is first securely removed.
Digital storage devices that contain Restricted Information as defined in the University’s Data Classification Standard must be sanitized when they are to be repurposed, recycled, or discarded. Sanitization minimizes the likelihood of recovering data from residual magnetic, optical, electrical, or other representations in digital media.
Digital storage devices include those in computers, cell phones, and tablets, as well as CDs, DVDs, thumb, jump, or USB drives, solid state drives, and hard drives. Appropriate sanitization procedures for these storage device types are referenced in an associated Frequently Asked Questions.
Please see the FAQs below for more information.
Category: Security
Frequently Asked Questions
Please refer to Securely Erase Electronic Devices for information on how to sanitize various types of devices.
Two things you should know: ordinary file deletion native to most operating systems does not sanitize; methods commonly used to sanitize magnetic storage devices do not work on Solid State Drives and some other types of media.
This approach may overlook temporary copies and special locations in which the device may have kept the files or portions of the files. It is safer and simpler to sanitize the entire device to ensure nothing was overlooked.
When transferring your device to another person, it is a best practice to sanitize the entire device to ensure that new software is installed cleanly and licensed software terms remain in place. When permanently disposing of a device, deleting its digital storage media is also a good practice.
IT Services provides a device recycling service that properly sanitizes devices before they are recycled. View Technology Recycling for information and to make arrangements.
Device encryption is a good way to protect against unauthorized access of confidential information when the device is lost or stolen. To sanitize, all that is needed is to delete or change the encryption key. View Securely Erase Electronic Devices for details.
The University’s Human Resources policy Treatment of Confidential Information establishes guidelines for the use of confidential information by employees. This policy helps employees understand how to meet some of those obligations.