This document supplements the requirements of BU Data Protection Guideline 1.2.D – Data Protection Requirements. It provides information related to the proper disposal of sensitive information in such a way as to prevent its continued use.
There are legal, regulatory, contractual, and policy requirements that may extend the duration for which information must be retained beyond its useful life. Before disposing of data please review the University Record Retention Policy (FA-002). DO NOT destroy paper or electronic records that the University Record Retention Policy (FA-002) requires be maintained. In addition, DO NOT destroy records if you have received a “litigation hold” notice from the Office of the General Counsel concerning actual or threatened litigation or if you have reason to believe that documents relate to a dispute that may result in litigation. If you have any questions, please contact BU Information Security or the Office of the General Counsel before you destroy either paper or electronic records.
Paper records are by far the easiest to be dealt with. Paper records containing only Public information should be recycled if possible, or otherwise disposed of appropriately.
Paper records containing Internal, Confidential, or Restricted Use information must be physically destroyed prior to recycling or disposal. While any shredder is sufficient for Internal or Confidential documents, Massachusetts law requires that paper records that contain Restricted Use Information must be burned, pulverized, or shredded so that personal data cannot practicably be read or reconstructed. Boston University recommends that use of a crosscut shredder for these documents. Once shredded, these documents should be recycled if possible, or otherwise disposed of appropriately.
Non-erasable Media (CD-ROMs, DVDs)
Some media is intended for a single use, such as CD-ROMs and DVDs. Once written, the information on these types of media cannot be easily removed. If a piece of media of this type contains Internal, Confidential, or Restricted Use information the media should be physically destroyed when it is no longer needed. Many paper shredders today support physical destruction of this type of media. If your department deals with Internal, Confidential, or Restricted Use information on this type of media, you should ensure that an appropriate mechanism for physically destroying the media exists. In some cases, data destruction services may be contracted to aid in destroying this kind of media.
Data Destruction Services
For offices that need to destroy large quantities of paper documentation, shredding individual documents may present a large burden. These departments should contract with approved data destruction companies that allow documents to be collected in locked bins on site and then are taken off-site for destruction. The preferred vendors at Boston University are Shred-it, Access Corp, or Allied Computer Brokers (ACB). For more information on approved vendors for media management visit: https://www.bumc.bu.edu/it/infosec/researchcompliance/paper-record-and-media-management/.