Sensitive data must be protected from unauthorized access or disclosure throughout its entire lifecycle from origination to destruction. Electronic media and computing devices, regardless of their value, that contain sensitive information must be properly inventoried, tracked and secured at all times. Sensitive data must be properly eradicated upon destruction or redeployment.

Sensitive information must be permanently deleted from all computing devices and electronic media that is redeployed, transferred, sent to surplus, discarded, removed from service or that changes service and/or facilities.

NIST Media Sanitization Standards

Related inventory procedures: Inventory and Surplus

Important Note: See related Inventory and Surplus Policies and Procedures for details regarding the purchase, identification, inventory and surplus of equipment. Policies and standards apply to all computing devices or associated electronic media, regardless of expendable classification.

Administrative Standards

Computing Device or Electronic Media Redeployment

• Any computing device or electronic media moved from one school, department, unit or other university entity to another; transferred between personnel with different access and need to know privileges; or no longer used for specified data must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).

Computing Device or Electronic Media Disposal or Surplusing

• Any computing device or electronic media removed from service, discarded, donated, or sent to surplus must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).

Electronic Protected Health Information (ePHI) Note:

• A record or log of disposition must be maintained by the responsible university entity for any computing device or electronic media utilized for processing or storing ePHI.

Technical Standards:

Proper tools are required to eradicate sensitive information from electronic media. Contact your Tier 1 or ITS for information on sanitization tools.

Eradication of Data

• Total eradication of data on the computing devices or electronic media is the preferred way to provide a reasonable assurance that sensitive information has been eliminated if the device or media is not to be destroyed (see physical media destruction below).
   
  A total eradication tool must be used if the device or media is being removed from service within the university.Selective eradication of data may be used for computing devices or electronic media being redeployed (not disposed of or sent to Surplus) provided ePHI or other regulated data was not housed on the computing devices or electronic media.
   
  Electronic Protected Health Information (ePHI) Note: Computing devices or electronic media, which contain or contained ePHI must have the media sanitized using a total eradication method.
• To maximize assurance of data eradication and to minimize the chance of accidental inappropriate data deletion, the Tier 1 or other qualified support staff who understand how to use the tools outlined above must perform this procedure.
• Certification of Data Eradication -Computing Devices Surplus Certification labels are provided by the Purchasing Department to affix to the device and signify that the device or electronic media has had its data properly eradicated. It is extremely important that these procedures are followed. 

 Physical Media Destruction

• Physical destruction of electronic media is the preferred way to provide a high level of assurance that sensitive information has been eliminated if the electronic media is being disposed and not redeployed. Physical destruction is considered complete only if the media has been disposed of with a shredder or other equipment designed for destroying electronic media. "Casual destruction" (bending, cutting with scissors, breaking and similar activities) is not an adequate way to destroy electronic media.
   
  Note: If proper physical destruction tools are not available for media being disposed, properly performed total eradication of data, as described above, is acceptable.

Sensitive information: Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, confidential or proprietary research data, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. See Information Management and Classification Standard.

Computing Devices:Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, mobile devices, email/messaging devices, cell phones, removable hard drives, flash or "thumb" drives, etc. all hereafter referred to as "computing devices".

Electronic Media: Includes all electronic data storage devices funded as under Computing Devices above or other electronic data storage devices used to store UofL related data. Media includes but is not limited to removable and non-removable storage such as hard drives, CDs, DVDs, magnetic tape, removable disks (floppy, zip, cartridge systems, etc.) and flash memory devices.

ePHI: Electronic Protected Health Information - Health information maintained or transmitted in an electronic format that:

1. Identifies or could be used to identify an individual;

2. Is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and

3. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.

Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.