Call IT Support Email IT Support

Data Destruction

Defining the University’s approach to destruction of data and data processing equipment

Policy Statement

This control procedure defines the University’s approach to destruction of data and data processing equipment, and directly supports the following policy statement from the Information Security Policy:

All assets (information, software, electronic information processing equipment, service utilities and people) will be documented and accounted for. Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.

Audience

This procedure is intended to be read and understood by any users responsible for arranging the disposal or destruction of information assets. It is of particular relevance to ISDS staff and Information Asset Owners and Managers.

Control Statements

1. Regular Disposal of Data

Data should be reviewed and disposed of regularly, in line with the University’s Retention and Disposal Schedule. This is maintained by the Records Management Team.

2. Return of Assets

All users should return all University assets in their possession upon termination of their employment, contract or agreement. It is not permitted to pass or swap any University equipment/accessories between users.

It is the responsibility of Information Asset Owners to ensure that assets falling under their control are handled in line with this procedure.

In cases where a user uses their own personal equipment, the Mobile and Remote Access procedure should be followed to ensure that all relevant information is transferred to the University and securely erased from the equipment.

3. Disposal of Data and Data Processing Equipment

Due to the lack of segregation in the University network, it should be assumed that any network-connected device, or any unconnected device that has processed University data, has held data at the top end of the Information Classification Scheme used by the University. This means that physical equipment needs to be disposed of in a secure manner.

The only way to permanently destroy data, without physically destroying the media, is by multiple overwriting of the data by generating and recording random characters across the entire surface of the drive, resulting in complete data destruction and resetting of file sizes to zero. There are a number of overwriting standards but the current recognized UK standard is HMG IS 5 Enhanced.

Secure disposal is currently undertaken by CDL, with the contract managed by the Estates Environment Team. CDL uses White Canyon Wipe Drive 8.1 overwriting software, which is CPA approved in the UK under the National Cyber Security Centre.

Where equipment is to be reused, disks must be removed and wiped or destroyed as indicated below. Where disks are replaced, these need to be wiped/destroyed not simply returned to the manufacturer for re-issue.

Data destruction reports are provided to the Estates Team and the Information Security Team.

The University will employ the following data destruction/cleansing methods (filter by media type):

Hard Disk Drives (HDD)

Data storage mechanism:

  • Non-volatile magnetic

Suggested removal methods:

  • Multi Pass Pattern wiping
  • Disintegration

Solid State Disk Drives (SSD)

Data storage mechanism:

  • Non-volatile solid state memory

Suggested removal methods:

  • Multi Pass Pattern wiping
  • Disintegration

CD / DVD

Data storage mechanism:

  • Optical

Suggested removal methods:

  • Abrasion
  • Disintegration

 

Magnetic Tape

Data storage mechanism:

  • Non-volatile magnetic

Suggested removal methods:

  • Degaussing
  • Disintegration

Flash Disk Drives and USB

Data storage mechanism:

  • Non-volatile solid state memory

Suggested removal methods:

  • Multi Pass Pattern wiping
  • Degaussing
  • Disintegration

Paper

Data storage mechanism:

  • Printed

Suggested removal methods:

  • Micro Cross Cut Shredding
  • Incineration 

Phones

Data storage mechanism:

  • Non-volatile solid state memory 

Suggested removal methods:

  • Wiped using ActiveSync
  • Disintegration

Compliance

Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.

Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.

Information Security