Skip to Content

Electronic Data Removal Policy Procedural Details

This page provides the details for the procedures referenced by the University Electronic Data Removal Policy.

NOTE: Any electronic devices or media awaiting processing under these procedures must be securely stored, for example, in a locked closet, office or drawer, and should never be left unattended in a public area. Devices and media must be surplussed promptly following removal from service.

Electronic devices or hard drives permanently leaving the University
Electronic devices or hard drives temporarily leaving the University
Electronic devices or media being transferred within the University
Disposal of electronic media other than hard drives
Highly sensitive data must be deleted using secure methods
Exceptions

1. Electronic devices or hard drives permanently leaving the University must be disposed of following the designated surplus solution, with the exception of devices returned to a leasing company, from which all software and data files must be removed.

Academic and administrative departments within Agency 207 and University foundations should follow the procedure described in Procurement's Computer Surplus Procedure.

Agency 209 (Health System) departments should follow the procedure described at HSTS Equipment Surplus Procedures.

Departments at the University of Virginia’s College at Wise (Agency 246) should contact the Helpdesk at Extension 4509 for replacement and/or removal of all electronic computing devices or hard drives.

Devices returned to a leasing company should have all software and data files removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on the Data Removal Software page. The software must be configured to overwrite data at least three times.

2. Electronic devices or hard drives temporarily leaving the University for repair must have their data encrypted or removed.

If the storage component of the device is functioning, all data should be either 1) encrypted using a 256-bit or larger key, or 2) removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on the Data Removal Software page.

If the storage component of the device is non-functioning, it must be either 1) removed and processed as described under items 1. or 4., or 2) degaussed (concept as explained by Wikipedia).

Note: Degaussing may or may not violate a particular warranty. A degausser is available for loan from ITS’s Departmental Computing Support group.

Note: This requirement may interfere with warranty replacement of dead hard drives. Vendors usually require the return of a dead hard drive, but such a drive cannot be accessed to remove or encrypt data. Departments are encouraged to negotiate “no return required” clauses on hard-drive warranties (see, for example, Dell's offering). Otherwise, departments may have to replace dead drives at cost outside of warranty coverage.

If the purpose of the repair is to recover lost data from the device, you must use a UVa Procurement purchase order (PO), not a purchasing card or other means of payment. A PO includes UVa's Purchasing Terms and Conditions (T&Cs), to which the vendor must agree. These T&Cs stipulate that data are covered by the University's Data Protection Addendum and Business Associate Addendum (covering potential HIPAA or PHI data).
In addition, the device must be shipped via UPS or FedEx with tracking. There are data recovery vendors who are willing to operate under the above conditions. Please email it-policy@virginia.edu for information on vendors currently known to accept this process and/or with any questions about how to proceed.

3. Electronic devices or media being transferred within the University (between departments or employees having different software and data access privileges) must have their data removed. This must occur before transfer or within two weeks, if the device isn't put back into service immediately.

Data must be removed by software that replaces previously stored data on a drive or disk with a predetermined pattern of meaningless information; a disk “initialization” is insufficient. Examples of such software are listed on the Data Removal Software page.

4. Disposal of electronic media other than hard drives must be by destruction.

Items such as magnetic tapes, diskettes, CDs, DVDs and USB storage devices must be physically destroyed by degaussing, shredding or smashing, so that the data-containing component is unreadable, before the item is disposed of via trash or recycling.

5. Highly sensitive data must be deleted using secure methods as soon as they are no longer required. Highly sensitive data should be securely deleted using one of the methods described in Secure Data Deletion or equivalent.

6. Exceptions: Any request for policy exceptions should go to the Information Security, Policy, and Records Office at
it-policy@virginia.edu.