Computer Equipment Disposal and Media Sanitization

Computer and electronic equipment often contains heavy metals and other hazardous materials that adversely affect the environment is not disposed of in a proper manner.  Correct recycling reduces the environmental impact and allows non-profit organizations to obtain electronic equipment at a reduced cost.

In addition, this equipment may contain personal, confidential or legally-protected information that, if not properly erased or destroyed, could lead to inappropriate disclosure, identity theft, and liability to the equipment's owner and KUMC.

Purpose
The purpose of this policy is to ensure that members of the University community dispose of KUMC-owned electronic equipment in both an environmentally responsible and secure manner.  This policy is required by State of Kansas policy, federal guidelines including Section 164.310(d)(1) and (2) of the Health Information Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA) and IRS Publication 175.

Resources Covered by This Policy
This policy applies to any computer equipment or peripheral devices that are no longer needed in a department including, but not limited to the following:  personal computers, servers, hard drives, laptops, mainframes, smartphones, personal digital assistant (PDA) devices or handheld computers ( i.e., Windows Mobile, iOS or Android-based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e., USB drives), backup tapes, printed materials, and microfiche.

This policy includes equipment that may have been purchased with grant, faculty startup, or other outside funding. Equipment purchased with federal grant funds may have specific federal guidelines that will need to be observed by the department. It is the responsibility of the department to ensure any federal guidelines are coordinated with University staff involved with the disposal of surplus equipment.

Individuals and Groups Covered By This Policy
This policy applies to all KUMC faculty, staff, and students; employees of the University of Kansas Physicians, Inc. as well as vendors, contractors, or any others who have access to KUMC systems or data.

Exemptions
This policy applies to everyone at all campuses and sites of the University of Kansas Medical Center. There are no exemptions.

Definitions

Degaussing: a media sanitization method whereby magnetic storage media like tape or a hard disk drive are demagnetized and rendered permanently unusable.

Disposal: the act of discarding media with no other sanitization considerations. Examples of disposal include discarding paper in a recycling container, deleting electronic documents using standard file deletion methods and discarding electronic storage media in a standard trash receptacle.

Media: material on which data are or may be recorded, such as magnetic disks or tapes, solid state devices like USB flash drives, optical discs like CDs and DVDs, or paper-based products.

Media sanitization: the process of removing data from storage media such that there is reasonable assurance that the data may not be retrieved and reconstructed.

Pulverization: a physically destructive method of sanitizing media; the act of grinding to a powder or dust.

Purging: an advanced type of media sanitization that renders media unreadable by repeatedly overwriting data with random characters or degaussing. This prevents data from being recovered with standard disk and file recovery utilities.

Destroying: rendering media unusable through techniques such as disintegration, incineration, pulverizing, shredding and melting. This is also a common practice when permanently discarding hard drives.

Sensitive information:   Guidelines for identifying and protecting sensitive information at the University of Kansas Medical Center are discussed in the operational protocol titled "Sensitive Information in Electronic and Paper-Based Systems" and the accompanying document titled "What is Sensitive Information?".

Responsibilities

The Director of Information Security and Director of Environment, Health and Safety will establish and oversee an approved equipment disposal process in accordance with this policy and current environmental safety requirements.

Department chairs, directors and managers will ensure that equipment employed for use in their respective departments are disposed of in accordance with this policy.

Requirements for Equipment Sanitization and Disposal

1. The only approved method for disposing of computer equipment owned or managed by the University is through the official University process. Staff, faculty and students cannot destroy, resell or otherwise remove University-owned or managed equipment except through this process.
2. Equipment that will be reassigned within the department should have all data purged to prevent unauthorized disclosure.
3. Equipment leaving control of the responsible department and destined for reuse by another department or final disposal must have all data purged in a manner that renders the data unrecoverable.
4. Electronic storage media must be physically destroyed when other approved sanitization methods are not effective.  Approved methods for physical destruction include shredding, pulverizing, disintegration or incineration.

Procedures

KUMC requires the destruction of all data in computers or electronic storage devices prior to final disposal.  The following procedures must be followed for the disposal of all computer equipment and storage devices to ensure secure removal of any information that may be on the device. 

• The department or owner of computer equipment or electronic devices must complete a computer equipment disposal form for each piece of equipment that is to be disposed of, located on the Environment, Health and Safety Office web site.
• The department or owner will deliver the obsolete equipment and associated Computer Equipment Disposal Form to the designated drop-off location.  The Environmental Health and Safety Office sponsors a drop-off for obsolete equipment each month and the date and time is announced in a Critical Information email to all staff.
• Departments with a large number of devices (more than 40) or oversized equipment should contact the Environmental Health and Safety Office to request that the equipment be picked up.
• Information Resources staff will assess the equipment as to whether it will be retained for use as spares for other campus equipment or if the equipment is to proceed to final disposal.
• For any equipment that is to be disposed of or reassigned, Information Resources staff will follow procedures to ensure any information on the equipment has been permanently removed. For all storage devices, this is defined as using software that meets US Department of Defense Standard DoD 5220.22-M to overwrite the data so that old data cannot be recovered.   Simply erasing the data or reformatting the hard drive does not prevent data from being recovered by technical means.
• Information Resources staff will fully destroy and properly dispose of any electronic devices that cannot be cleaned sufficiently to guarantee that all data has been removed during the cleanup procedures.
• Once the equipment has been properly prepared, it will be disposed of through standard surplus handling procedures.
• A record of all equipment sent for disposal and the method in which all information was removed (i.e., DoD overwriting or physical destruction) from each device will be maintained.
• Departments may dispose of computer media (i.e., floppy disk, tape media, zip media, CD media, DVD media, microfiche, USB storage devices) once it has been rendered unreadable. The preferred method is physical destruction and/or mutilation of the computer media that renders it unusable. This would include shredding or cutting of the floppy disk or tape media or physically breaking the CD or DVD media.

Enforcement

Suspected or known violations of this policy will be reported to the appropriate University officials, and may result in:

• Accountability for conduct under any applicable University or campus policies, procedures, or collective bargaining agreements, including disciplinary action.
• Prosecution under applicable statutes.

Suspected or known violations of University regulations and/or State and Federal law will be processed by the appropriate University authorities and/or law enforcement agencies.

Additional Resources

University of Kansas Medical Center Operational Protocol on "Sensitive Information in Electronic and Paper-Based Formats"

State of Kansas Information Technology Policy 7900 (Enterprise Media Sanitization and Disposal Policy)

National Institute of Standards and Technology Special Publication 800-88 (Guidelines for Media Sanitization)

HIPAA Security Final Rules, Section 164.310, Physical Safeguards, part (d), (1) & (2)

IRS Publication #175, Tax Information Security for Federal, State, and Local Agencies and Other Entities

Contact information

For information on this policy, please contact:

Sherry Callahan
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0966

Steffani Webb
Associate Vice Chancellor for Information Resources
Chief Information Officer (Interim)
University of Kansas Medical Center
1014 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-7300

Ryan Lickteig
Director of the Environment, Health and Safety Office
University of Kansas Medical Center
B320 KU Hospital, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-1081

Last Review Date: March 13, 2011
Last Revision Date: March 13, 2011