University of Illinois System
Policies & Procedures
Last item for navigation

12.4.5 Render Data Unrecoverable on Electronic Devices Prior to Transfer or Disposal

Policy statement

All data on digital storage media must be rendered unrecoverable before the electronic device containing digital storage media is transferred between individuals or units within the University, to third-parties, or to Surplus Warehouse Operations for reuse or secure disposal. Procedural specifics for this policy are detailed in the IT15- Storage Media Security Standard. Oversight for this policy (compliance, maintenance, and definition for the associated standard) is assigned to the Chief Information Officer for each university and the University of Illinois System unless governance is otherwise provided for in university or system policy.

Consult the appropriate university information technology office or Property Accounting and Reporting for assistance.

Unit designated and assigned FABweb unit representatives submitting disposals must attest that the proper data elimination policies and procedures were followed, and the scrub label is completed and attached to all required digital media devices and equipment.

Definitions

Degauss - Permanent erasure of data rendering data unrecoverable, according to federal requirements.

Encryption Key Destroyed - All traces of a cryptographic key have been removed in such a way to render the data unrecoverable by physical or electronic means.

Inoperable Device - Electronic device (e.g., computer, USB stick, hard drive, etc.) has been rendered useless via dismantling, disrepair, or other means.

Overwritten - Previously stored data is replaced with random patterns.

Reason for the Policy

To determine whether an electronic device contains digital storage media and requires data elimination in accordance with system policy.

Applicability of the Policy

All electronic devices containing digital storage media prior to transfer between individuals or units within the system, to third-parties, or to Surplus Warehouse Operations for reuse or secure disposal.

Procedure

To remove data from electronic devices:

  1. Magnetic media must be either completely overwritten (at least one full pass) or degaussed prior to disposal;
  2. High-Risk Data Storage Device Disposal Preprocess Protocol
    1. Completely and securely overwrite or degauss storage media; OR
    2. Secure-delete all encryption keys for strongly-encrypted volumes;
    3. Conspicuously tag the device or system, indicating and confirming:
      1. The system once contained high-risk data;
      2. The storage media have been properly prepared as noted above in items A or B, and are ready for destruction;
      3. The date, unit name, and system manager name
  3. Affix a scrub label to the front of the item to certify that the unit has removed the data. On the label, ensure unit IT support completed the scrub label as follows:
    1. "Degaussed" if the data was degaussed.
    2. “Encryption key destroyed” to render the data unrecoverable.
    3. "Inoperable Device" if the device is inoperable and cannot run data elimination software.
    4. "Overwritten" if the data was overwritten.

Important: Do not remove the hard drive or other components. If the Scrub Label is missing, the unit may be charged for the cost of eliminating the data or the equipment may be returned to you for scrubbing, at the unit’s expense. Ensure the IT staffer responsible has completed, signed off, and affixed the scrub label.

  1. Consult Additional Resources below for general information about data elimination, data scrubbing software, and Scrub Labels at your university Contact OBFS – Property Accounting and Reporting if you need assistance.
    Note: Springfield—If the equipment is a digital media device, complete a transfer transaction in FABweb, transferring the computer to UIS Information Technology Services (ITS). UIS units do not need to complete a surplus/disposal request in FABweb. ITS will complete the remaining steps for these electronic items.

Related Policies and Procedures

12.4.3 Dispose of Unneeded Equipment

Additional Resources

Urbana – Technology Services
    Erasing Your Hard Drive: Disk Scrubbing

    Controls | Policies-Standards-Controls | Privacy and Cybersecurity | Technology Services at Illinois
Chicago - ACCC (Academic Computing and Communications Center)
    Revised University Guidelines on the Sale, Donation, or Transfer of Computer Hard Drives and Other Magnetic Media
Springfield - Use FABweb to transfer the item to UIS Information Technology Services. They will wipe the data.
    Illinois Data Security on State Computers Act

Scrub Labels:  Avery 5163 Data Scrub Label

Last Updated: April 3, 2023 | Approved: Senior Associate Vice President for Business and Finance | Effective: June 2011