Washington University in St. Louis’ university data resources, by definition, practice, and intent, are university assets. This document establishes guidelines for the reuse and disposal of media containing securable university data and the responsibilities of the owners of those media for sanitization. The guideline refers to all media containing securable university data, whether printed or electronic, and will serve to:
All media containing securable university data, whether hardcopy or electronic, when leaving control of the responsible department and destined for reuse or disposal is subject to this guideline. Media that will be reused within a department where there is a transfer in ownership is also subject to this guideline.
All media containing securable university data, is under the control of that data steward/owner for that data. A change or transfer in ownership of the physical media containing securable university data does not negate the responsibility of the data steward/owner.
Every data steward/owner of a university system that hosts or consumes university data is responsible for implementing and ensuring compliance with Washington University in St. Louis’ Media Reuse and Disposal Guideline and must initiate corrective action with the proper authorities of the university if it is needed.Responsibilities include:
Outline procedures that govern receipt, removal and movement of hardware and electronic media containing ePHI or securable university data within the workspace of the department. These guidelines and procedures pertain to the use of hard drives, storage systems, removable disks, floppy drives, CD-ROMS, memory sticks, and all other forms of removable media and storage devices.
PC's, Laptops, Tablets, Phones: Before wiping data from any of these types of devices, users, system managers or the Network Security Office staff must insure that there is no ePHI or securable university data located on the device. If no ePHI or securable university data is found (at present), the device may be wiped clean using a data destruction tool. If ePHI or securable university data is found to reside on the device, AND, if it is the only copy of said ePHI or securable university data, that data must be copied to an alternate and equally secure location, prior to the drive or disk being erased. When a PC or laptop is leaving the department for whatever reason, the device must be wiped clean using the data destruction tool prior to leaving the department. Note that a data destruction tool which adheres to the Department of Defense (DoD 5220.22-M) standard is recommended. Note that in cases where a hard drive is not functioning and a data destruction tool cannot be used, the drive must either be degaussed or physically destroyed.
CD's, etc: If any of these types of media storage are known to contain ePHI or securable university data, they must be destroyed when no longer needed. Floppy disks must be erased using the data destruction tool, or physically destroyed and CD’s must be physically broken prior to disposal.
Flash Memory Sticks: Memory sticks in which ePHI or securable university data has been stored must be formatted and the data destroyed using the data destruction tool. If a memory stick is no longer working and accessible, and cannot be formatted, it must be physically destroyed prior to disposal.
PC's, Laptops, Tablets, Phones: The user must oversee the movement of a device containing ePHI or securable university data if moving is performed by a third party (e.g. moving company) and the device is not otherwise physically secured. Encryption is also recommended and, in some cases, required by federal and state law.
Flash Memory Sticks: Users must use care when carrying these devices from location to location to ensure they are not lost or stolen. Files located on the devices should be either encrypted, or password protected. Encryption is also recommended and, in some cases, required by federal and state law.
Offsite backup media: If removable media used for backup and disaster recovery is stored and transported between locations using a secured environment, the use of a data destruction tool between uses is not necessary.
Updated April 1, 2013.