• Home
  • KUMC Computer Equipment Disposal and Media Sanitization

KUMC Computer Equipment Disposal and Media Sanitization

Policy
Purpose: 

Principle

Computer and electronic equipment often contains heavy metals and other hazardous materials that adversely affect the environment is not disposed of in a proper manner. Correct recycling reduces the environmental impact and allows non-profit organizations to obtain electronic equipment at a reduced cost.

In addition, this equipment may contain personal, confidential or legally-protected information that, if not properly erased or destroyed, could lead to inappropriate disclosure, identity theft, and liability to the equipment's owner and KUMC.

Purpose
The purpose of this policy is to ensure that members of the University community dispose of KUMC-owned electronic equipment in both an environmentally responsible and secure manner. This policy is required by State of Kansas policy, federal guidelines including Section 164.310(d)(1) and (2) of the Health Information Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA) and IRS Publication 175.

Applies to: 

Resources Covered by This Policy
This policy applies to any computer equipment or peripheral devices that are no longer needed in a department including, but not limited to the following: personal computers, servers, hard drives, laptops, mainframes, smartphones, personal digital assistant (PDA) devices or handheld computers ( i.e., Windows Mobile, iOS or Android-based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e., USB drives), backup tapes, printed materials, and microfiche.

This policy includes equipment that may have been purchased with grant, faculty startup, or other outside funding. Equipment purchased with federal grant funds may have specific federal guidelines that will need to be observed by the department. It is the responsibility of the department to ensure any federal guidelines are coordinated with University staff involved with the disposal of surplus equipment.

Individuals and Groups Covered By This Policy
This policy applies to all KUMC faculty, staff, and students; employees of the University of Kansas Physicians, Inc. as well as vendors, contractors, or any others who have access to KUMC systems or data.

Responsibilities
The  Director of Information Security and Director of Environment, Health and Safety will establish and oversee an approved equipment disposal process in accordance with this policy and current environmental safety requirements.

Department chairs, directors and managers will ensure that equipment employed for use in their respective departments are disposed of in accordance with this policy.

Campus: 
Medical Center, Kansas City
Wichita
Salina
Policy Statement: 

Requirements for Equipment Sanitization and Disposal

  1. The only approved method for disposing of computer equipment owned or managed by the University is through the official University process. Staff, faculty and students cannot destroy, resell or otherwise remove University-owned or managed equipment except through this process.
  2. Equipment that will be reassigned within the department should have all data purged to prevent unauthorized disclosure.
  3. Equipment leaving control of the responsible department and destined for reuse by another department or final disposal must have all data purged in a manner that renders the data unrecoverable.
  4. Electronic storage media must be physically destroyed when other approved sanitization methods are not effective. Approved methods for physical destruction include shredding, pulverizing, disintegration or incineration.

Procedures

KUMC requires the destruction of all data in computers or electronic storage devices prior to final disposal. The following procedures must be followed for the disposal of all computer equipment and storage devices to ensure secure removal of any information that may be on the device.

  • The department or owner of computer equipment or electronic devices must complete a computer equipment disposal form for each piece of equipment that is to be disposed of, as per instructions located on the Environment, Health and Safety Office web site.
  • The department or owner will deliver the obsolete equipment and associated Computer Equipment Disposal Form to the designated drop-off location. The Environmental Health and Safety Office sponsors a drop-off for obsolete equipment each month and the date and time is announced in a Critical Information email to all staff.
  • Departments with a large number of devices (more than 40) or oversized equipment should contact the Environmental Health and Safety Office to request that the equipment be picked up.
  • Information Resources staff will assess the equipment as to whether it will be retained for use as spares for other campus equipment or if the equipment is to proceed to final disposal.
  • For any equipment that is to be disposed of or reassigned, Information Resources staff will follow procedures to ensure any information on the equipment has been permanently removed. For all storage devices, this is defined as using software that meets US Department of Defense Standard DoD 5220.22-M to overwrite the data so that old data cannot be recovered. Simply erasing the data or reformatting the hard drive does not prevent data from being recovered by technical means.
  • Information Resources staff will fully destroy and properly dispose of any electronic devices that cannot be cleaned sufficiently to guarantee that all data has been removed during the cleanup procedures.
  • Once the equipment has been properly prepared, it will be disposed of through standard surplus handling procedures.
  • A record of all equipment sent for disposal and the method in which all information was removed (i.e., DoD overwriting or physical destruction) from each device will be maintained.
  • Departments may dispose of computer media (i.e., floppy disk, tape media, zip media, CD media, DVD media, microfiche, USB storage devices) once it has been rendered unreadable. The preferred method is physical destruction and/or mutilation of the computer media that renders it unusable. This would include shredding or cutting of the floppy disk or tape media or physically breaking the CD or DVD media.
Exclusions or Special Circumstances: 

This policy applies to everyone at all campuses and sites of the University of Kansas Medical Center. There are no exemptions.

Consequences: 

Suspected or known violations of this policy will be reported to the appropriate University officials, and may result in:

  • Accountability for conduct under any applicable University or campus policies, procedures, or collective bargaining agreements, including disciplinary action.
  • Prosecution under applicable statutes.

Suspected or known violations of University regulations and/or State and Federal law will be processed by the appropriate University authorities and/or law enforcement agencies.

Contact: 

For information on this policy, please contact:

Eric Walters
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0966

Michael Harmelink
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
1014 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-4900

Ryan Lickteig
Director of the Environment, Health and Safety Office
University of Kansas Medical Center
B320 KU Hospital, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-1081

Approved by: 
Chief Information Officer, KUMC
Approved on: 
Monday, March 27, 2006
Effective on: 
Monday, March 27, 2006
Review Cycle: 
Annual (As Needed)
Definitions: 

Degaussing: a media sanitization method whereby magnetic storage media like tape or a hard disk drive are demagnetized and rendered permanently unusable.

Disposal: the act of discarding media with no other sanitization considerations. Examples of disposal include discarding paper in a recycling container, deleting electronic documents using standard file deletion methods and discarding electronic storage media in a standard trash receptacle.

Media: material on which data are or may be recorded, such as magnetic disks or tapes, solid state devices like USB flash drives, optical discs like CDs and DVDs, or paper-based products.

Media sanitization: the process of removing data from storage media such that there is reasonable assurance that the data may not be retrieved and reconstructed.

Pulverization: a physically destructive method of sanitizing media; the act of grinding to a powder or dust.

Purging: an advanced type of media sanitization that renders media unreadable by repeatedly overwriting data with random characters or degaussing. This prevents data from being recovered with standard disk and file recovery utilities.

Destroying: rendering media unusable through techniques such as disintegration, incineration, pulverizing, shredding and melting. This is also a common practice when permanently discarding hard drives.

Sensitive information: Guidelines for identifying and protecting sensitive information at the University of Kansas Medical Center are discussed in the operational protocol titled "Sensitive Information in Electronic and Paper-Based Systems" and the accompanying document titled "What is Sensitive Information?"

Keywords: 
media, sanitization, equipment, disposal
Review, Approval & Change History: 

2014-07-17:  Updated contact information.

2014-02-28: Reviewed and move into KU Policy Library.

2013-04-18: Reviewed with no changes.

2012-06-13: Revised to reflect changes in form location and changes to disposal process.

2011-03-13: Reviewed with no changes.

Information Access & Technology Categories: 
Information Technology

Policy Library Search
Can't Find What You're Looking For?
One of 34 U.S. public institutions in the prestigious Association of American Universities
26 prestigious Rhodes Scholars — more than all other Kansas colleges combined
Nearly $290 million in financial aid annually
46 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times