Data Wiping and Disposal Policy

Purpose

Digital storage devices which contain licensed software programs and/or institutional data must be reliably erased and/or destroyed before the device is transferred out of University control, or erased before being transferred from one University department or individual to another.  Western Michigan University is committed to compliance with federal statutes associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.

Scope

All employees of Western Michigan University have a responsibility to ensure the confidentiality of information residing on University-owned computer systems and other digital storage devices as well as any non-reusable media.

All computers and digital storage devices including, but not limited to desktop workstation, laptop, server, notebook, and handheld computer hard drives; external hard drives; and all external data storage devices such as disks, flash drives, DVD, and CD, are covered under the provisions of this policy.

Policy statements

  • All electronic storage media should be sanitized when it is no longer necessary for business use, provided that the sanitization does not conflict with University data retention policies.
  • All electronic storage media should be sanitized prior to sale, donation or transfer of ownership.  A transfer of ownership may include transitioning media to someone in your department with a different role, relinquishing media to another department, or replacing media as part of a lease agreement.
  • All University employees are responsible for the sanitization of non-reusable electronic media before disposal. Similar to shredding paper reports, CDs and other non-rewritable media should be destroyed before disposal.
  • Deans, directors and department heads are responsible for the sanitation of all WMU owned electronic devices and computer systems in their units prior to removal from a department or the campus. This responsibility may be delegated within the college as deemed appropriate.
  • Any disposal of computer equipment and media storage devices must comply with all surplus disposal procedures as defined by the logistical services department.

NOTE: When removing sensitive information, do not forget storage devices such as thumb drives, back-up external hard drives and CDs. Also, be sure to erase any stored names and numbers from phones and fax machines.

Enforcement

Any person found to be in violation of this policy will be subject to appropriate disciplinary actions as defined by current University policy and/or collective bargaining agreements.

Related Links

Document action 

Approved by: Campus Information Security Committee, Oct. 2011