The purpose of this policy is to define standards for proper data sanitation and/or disposal of electronic storage media that has (or may have) contained personal information at Babson College.
Electronic Storage Media – Any electronic device that can be used to store data. This includes but is not limited to internal and external hard drives, CDs, DVDs, Floppy Disks, USB drives, ZIP disks, magnetic tapes and SD cards.
Personal information - An individual’s first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver’s license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident’s financial account. (Massachusetts General Law Chapter 93H)
Sensitive Information – Data whose disclosure would not result in any business, financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The security and protection of this data is dictated by a desire to maintain staff and student privacy.
Sanitizing Storage Media - The National Institute of Standards and Technology (“NIST”) has defined four methods of data sanitization in NIST Special Publication 800-88, Guidelines for Media Sanitization. These four methods are as follows:
- Disposal is defined as the act of discarding media with no other sanitization considerations. Examples of Disposal include discarding paper in a recycling container, deleting electronic documents using standard file deletion methods and discarding electronic storage media in a standard trash receptacle.
- Clearing is defined as a level of sanitization that renders media unreadable through normal means. Clearing is typically accomplished through an overwriting process that replaces actual data with 0’s or random characters. Clearing prevents data from being recovered using standard disk and file recovery utilities.
- Purging is defined as a more advanced level of sanitization that renders media unreadable even through an advanced laboratory process. In traditional thinking, Purging consists of using specialized utilities that repeatedly overwrite data; however, with advancements in electronic storage media, the definitions of Clearing and Purging are converging. For example, Purging a hard drive manufactured after 2001 only requires a single overwrite. For the purpose of this Policy, Clearing and Purging will be considered the same. Degaussing is also an acceptable method of Purging electronic storage media
- Destroying is defined as rendering media unusable. Destruction techniques include but are not limited to disintegration, incineration, pulverizing, shredding and melting. This is a common sanitization method for single-write storage media such as a CD or DVD for which other sanitization methods would be ineffective. This is also a common practice when permanently discarding hard drives.
This policy applies to all personnel who have responsibility for the handling and proper dispoal of electronic storage media at Babson College.
Policy Content and Guidelines
All electronic storage media should be sanitized (Cleared/Purged) prior to sale, donation, being moved to unsecured storage (for spare parts), or transfer of ownership. A transfer of ownership may include transitioning media to another individual or department at the College or replacing media as part of a lease agreement.
All electronic storage media must be destroyed when it has reached the end of its useful life and/or when other sanitizing methods are not effective (e.g. single-write media or media that is permanently write protected), provided that the destruction does not conflict with College data retention policies or any regulatory requirements (e.g. electronic discovery).
Vice President for Administration and CIO Vice President and General Counsel
This policy was originally approved on: This version was approved on: This version takes effect from: This policy will be reviewed by:
Director, Architecture & Development