DATA DISPOSAL POLICY

PURPOSE: 

Data confidentiality is an issue of legal and ethical concern. The purpose of this policy is
to provide for proper cleaning or destruction of sensitive/confidential data and licensed
software on all computer systems, electronic devices and electronic media being
disposed, recycled or transferred either as surplus property or to another user.
APPLIES TO: 

University employees (e.g., faculty, staff, student employees) and other covered
individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of
University data, information and records in electronic form during the course of
conducting University business (administrative, financial, teaching, research or service).
CAMPUS: 
Lawrence
POLICY STATEMENT: 

The University of Kansas requires that before any computer system, electronic device or
electronic media is disposed, recycled or transferred either as surplus property or to
another user, the system, media or device must be either:

 properly sanitized of University sensitive/confidential data and software, or

 properly destroyed.

Any official University records must be appropriately retained / disposed of based on the
University’s records retention policy prior to erasure or destruction of the system, device
or media.

Electronic media must be sanitized following the guidelines in NIST Special Publication
800-88, “Guidelines for Media Sanitization”. The specific procedures and requirements
to be followed when cleaning or destroying computer systems, electronic devices and
electronic media are found in the Electronic Data Disposal Procedure document.
CONSEQUENCES: 

Faculty, staff and student employees who violate this University policy may be subject to
disciplinary action for misconduct and/or performance based on the administrative
process appropriate to their employment.

Students who violate this university policy may be subject to proceedings for non-
academic misconduct based on their student status.
Faculty, staff, student employees and students may also be subject to the
discontinuance of specified information technology services based on the policy
violation.
CONTACT: 
Office of the Chief Information Officer
1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu
APPROVED BY: 
Provost and Executive Vice Chancellor
APPROVED ON: 
Thursday, August 14, 2008
EFFECTIVE ON: 
Thursday, August 14, 2008
REVIEW CYCLE: 
Annual (As Needed)

ELECTRONIC DATA DISPOSAL PROCEDURE

PURPOSE: 

The purpose of this procedure is to implement the University of Kansas Electronic Data Disposal
Policy.
APPLIES TO: 

University employees (e.g., faculty, staff, student employees) and other covered individuals (e.g.,
affiliates, vendors, independent contractors, etc.) in their handling of University data,
information, and records in electronic form during the course of conducting University business
(administrative, financial, teaching, research, or service).
CAMPUS: 

Lawrence

PROCEDURES STATEMENT: 
Overview

When a file is deleted, the operating system does not completely remove the file from the disk;
rather, the file deletion removes only the reference to the file from the file system table. The file
remains on the disk until a subsequent file is created over the original file. However, even after
the file is overwritten, it is possible to recover data from the original file by studying the magnetic
fields on the disk platter surface if the drive was manufactured before 2001. This is referred to as
a “laboratory attack”. Other drives may contain data that can be retrieved with specialized
software. This is referred to as “deleted file retrieval”. The only way to prevent these kinds of
inadvertent file sharing or file access is to appropriately clean (e.g., sanitize) the hard drive or
other media by performing a data wipe or over-write, or to physically destroy the hard drive or
other media before it reaches its next owner or destination. The required procedures for
performing a data wipe or over-write, or for physically destroying the hard drive or other media,
are set forth below.

Any official University records must be appropriately retained / disposed of based on the
University’s records retention policy prior to cleaning or destruction of the system, device, or
media.

Overwriting Hard Drives or other Media

The sanitization method for the media depends on the information stored on the media, the age of
the media, and on its next destination. The following table should help decide how to handle a
particular computer or device.

NIST Special Publication 800-88, “Guidelines for Media Sanitization”, defines the terms and
methods for sanitizing hard drives and other media.
Clearing: Overwriting the media
Purging: Magnetic erasure of the media
Destruction: Physical destruction of the media

Examples of Sensitive and Confidential Information include, but are not limited to, the following
data types:

 Social Security Numbers

 Student educational records
 Health care records
 Bank account and other financial information
 Research data
 Personnel data
  Other confidential or sensitive University business information
 Proprietary software
If you need assistance removing data, or if you are not sure whether the data stored on a device is
Sensitive or Confidential, please contact the IT Security Office at 785-864-9003 or itsec@ku.edu.

New Location of Device Data stored on Device Recommendation

No Sensitive/Confidential
Same department Reformat or reimage
data

No Sensitive/Confidential
Another department or unit Reformat or reimage
data

Same department to staff with access Sensitive/Confidential

Reformat or reimage
to same information data

Same department to staff with lower Sensitive/Confidential

Clear
access (or student worker) data

Sensitive/Confidential
Another department or unit Clear
data

Recycling or disposal (including

All data Clear
surplus)

Drive manufacture date prior to 2001 Sensitive/Confidential

Purge
or unknown data

Purge (magnetic);
Non-functioning media All data
Destroy (solid state)

The most current research on data retrieval indicates a single pass of random data or zeros
(Clearing) is all that is required to sanitize a functioning hard drive manufactured after 2001.
Clearing the drive prevents deleted file retrieval. Laboratory attacks are not possible on modern
hard drives.
Tools

To properly clean your electronic media, please use the utility called "Darik's Boot and Nuke"
(DBAN).

This tool will create an easy-to-use cleaning floppy or CD that can be used in most computers. It
will allow you to boot from the media and begin the cleaning process without needing to install
any other software on the computer. DBAN allows you to choose a number of options.

Physical Destruction of Hard Drives or other Media

If the computer system, electronic device, or electronic media will not be reused, physical
destruction is an acceptable method of disposing of the University data. Individuals desiring to
have a computer system, electronic device, or electronic media destroyed may contact the IT
Customer Service Center (CSC) at 864-8080 to arrange for drop-off or pick-up of their eWaste.

eWaste Delivered to the Computing Services Facility (CSF)

I. All items must have been approved for disposal following University disposition
of property guidelines.
II. Department must have the hard drives removed from CPU’s and Servers before
they are delivered to the CSF loading dock.
3. Department must have University of Kansas/IT Department eWaste Processing
Form filled out before bringing items to CSF dock.
4. When hard drives are degaussed, departments requesting confirmation will be
sent a Certificate of Destruction. All certificates must be signed by a fulltime IT
employee.
5. Department will be charged for disposal of CRT’s and televisions at the current
published rate, provided on the eWaste Recycling site.
eWaste Pickup Procedure

I. All equipment must have been approved for disposal following

University disposition of property guidelines.
II. Departments must remove hard drives from CPU’s and Servers before pick-up.
3. Departments must call the IT CSC to schedule a pick-up.
4. Departments must fill out a University of Kansas/IT Department eWaste
Processing Form before equipment is picked up for disposal.
5. When hard drives are degaussed, departments requesting confirmation will be
sent a Certificate of Destruction. All certificates must be signed by a fulltime IT
employee.
 6. Department will be charged for disposal of CRT’s and televisions at the current
published rate, provided on the eWaste Recycling site.
CONSEQUENCES: 

Faculty, staff, and/or student employees who violate this University policy may be subject to
disciplinary action for misconduct and/or performance based on the administrative process
appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic
misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of
specified information technology services based on the policy violation.
CONTACT: 

Office of the Chief Information Officer

1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu
APPROVED BY: 

Provost and Executive Vice Chancellor

APPROVED ON: 

Thursday, August 14, 2008

EFFECTIVE ON: 

Thursday, August 14, 2008

REVIEW CYCLE: 

Annual (As Needed)