This document supplements the requirements of BU Data Protection Guideline 1.2.D - Data Protection Requirements 1.2.D - Data Protection Requirements.  It provides information related to the proper disposal of sensitive information in such a way as to prevent its continued use.

Overview

When data is no longer required it must be disposed of in a way that prevents its continued use.   Electronic data can be difficult to dispose of effectively.  Reusable storage devices are intended to have a long service life and may be erased and rewritten continuously during their life.  Hard disk drives, USB storage devices, solid-state memory cards, portable disk drives, floppy diskettes, and data storage tapes are all examples of media intended for reuse.

There are legal, regulatory, contractual, and policy requirements that may extend the duration for which information must be retained beyond its useful life.  Before disposing of data please review the University Record Retention Policy (FA-002).  DO NOT destroy paper or electronic records that the University Record Retention Policy (FA-002) requires be maintained.  In addition, DO NOT destroy records if you have received a “litigation hold” notice from the Office of the General Counsel concerning actual or threatened litigation or if you have reason to believe that documents relate to a dispute that may result in litigation.  If you have any questions, please contact BU Information Security or the Office of the General Counsel before you destroy either paper or electronic records.

When Physical Destruction of a Device is Required

In some cases, even securely erasing a disk does not provide adequate protection against unintended disclosure or loss of data.  In these cases the device must be physically destroyed.

A reusable device must be physically destroyed when:

  • It contains any Confidential or Restricted Use information and it is not possible to delete the data because the device hardware has failed.
  • It contains any electronic Protected Health Information (ePHI) as defined in the Device and Media Control Policy (BU-100-003).

This means that for systems storing Confidential or Restricted Use information it is not possible to return the device to the hardware vendor for warranty or contract-based hardware support.  This will likely incur an additional hardware cost to the department to support machines containing this information when such events occur.

It is important that these requirements are also made clear to individuals storing Confidential information on personally owned computers and devices.  These devices are subject to the same terms, but replacement may be at the owner’s expense.  Restricted Use information may not be stored on personally owned computers and devices.

Proper physical destruction requires special tools and equipment.  Information Services and Technology offers a Media Destruction service.  Please see the following URL for more information:

Media Destruction