(1) Digital storage devices which contain licensed software programs and / or institutional data must be reliably erased and / or destroyed before the device is transferred out of University control, or erased before being transferred from one University department or individual to another. Australian Catholic University is committed to compliance with Federal statutes associated with the protection of confidential information as well as ensuring compliance with software licensing agreements. (2) All employees of Australian Catholic University have a responsibility to ensure the confidentiality of University information residing on the computer systems and other digital storage devices as well as any non-reusable media they use, whether it be University or personally owned. (3) Electronic media are devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, and backup tapes are covered under the provisions of this Procedure. In the future, organisations will be using media types not specifically addressed by this Procedure. (4) The processes described in this document should guide media sanitisation decision making regardless of the type of media in use. To effectively use this Procedure for all media types, organisations and individuals should focuson the information that could possibly have been recorded on the media, rather than on the media itself. (5) All electronic storage media should be sanitised when it is no longer necessary for business use, provided that the sanitisation does not conflict with University data retention policies (see the Records and Archive Management Policy and Records Retention and Disposal Schedule). (6) All electronic storage media should be sanitised prior to sale, donation or transfer of ownership. A transfer of ownership may include transitioning media to someone in your department with a different role, relinquishing media to another department, or replacing media as part of a lease agreement. A service request must be raised and the electronic media to be provided to Information Technology (IT) to perform the sanitisation process appropriate to the electronic media type. (7) All University employees are responsible for the sanitisation of non-reusable electronic media before disposal. Similar to shredding paper reports, CDs and other non-rewritable media should be destroyed before disposal. (8) Deans, Directors and Department heads are responsible for ensuring the sanitisation of all ACU owned electronic devices and computer systems in their business units prior to disposal. This responsibility may be delegated within the business unit as deemed appropriate. In order to action this, a service request must be raised and the machine(s) are then provided to IT. IT will perform the sanitization process. (9) Disposal without sanitisation should be considered only if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, and would not result in financial loss or harm to any individuals. (10) Where suitable, NIST Special Publication 800-88 Rev 1 Guidelines for Media Sanitization will be referred as standard to be adhered to. (11) Any disposal of computer equipment and media storage devices must comply with the Asset Management Policy. (12) Any person found to be in violation of this Procedure will be subject to appropriate disciplinary actions as defined by current University policy and / or collective bargaining agreements. (13) Unless otherwise indicated, this Procedure will still apply beyond the review date.Data Sanitisation Procedure
Section 1 - Purpose
Section 2 - Scope
Section 3 - Procedure
Section 4 - Enforcement
Section 5 - Definitions
Top of Page
SSD
A Solid State Drive (SSD) is a storage device that uses solid state memory to store persistent data.
Section 6 - Review
View Document
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.
Term
Definition
CD
A Compact Disc (CD) is a class of media from which data are read by optical means.
Data
Pieces of information from which “understandable information” is derived.
Disposal
Disposal is a release outcome following the decision that media does not contain sensitive data. This occurs either because the media never contained sensitive data or because Sanitization techniques were applied and the media no longer contains sensitive data.
DVD
A Digital Video Disc (DVD) has the same shape and size as a CD, but with a higher density that gives the option for data to be double-sided and / or double-layered.
Electronic Media
Electronic media are devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, and backup tapes.
Hard Disk
A rigid magnetic disk fixed permanently within a drive unit and used for storing data. It could also be a removable cartridge containing one or more magnetic disks.
Media Sanitisation
A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.