Disposal and Redisposition of IT Equipment and Removable Media

Download a PDF version of the Disposal and Redisposition of IT Equipment and Removable Media (.pdf) >>

Purpose

This policy provides guidelines for requesting the disposal or transfer of IT equipment and removable media no longer needed and for ensuring confidential data, as defined in UD’s Electronic Use of Confidential Data policy, is not inadvertently released to unauthorized parties, either internal or external to the University. Additionally, a single, streamlined process allows the University to best address potential environmental, financial, and security concerns associated with the disposal of IT equipment and removable media.

Policy History

Effective Date:  December 17, 2015

Approval:  December 17, 2015; University President

Policy History:

  • Approved in its original form:  July 2007;
  • Approved as amended:  September 2009;
  • Approved as amended:  December 17, 2015

Maintenance of Policy:  Purchasing and Chief Information Officer

Scope

This policy applies to all University of Dayton departments and to all employees – faculty, staff, contractors, consultants, temporaries, and other workers – making use of IT equipment and removable media procured with UD funds, discretionary accounts included. Equipment purchased with grant funds becomes the property of the University after the award ends unless the award explicitly specifies otherwise. While the grant is active, the equipment generally moves with the grant recipient. In the case a grant recipient leaves UD, care must be taken to ensure sensitive data is not inappropriately transferred.

As described in UD’s Electronic Use of Confidential Data policy, confidential data should not be stored on personal devices.

This policy does not apply to UD’s Research Institute. Given the nature of its contract work, UDRI applies a separate standard. For more information on UDRI specific requirements, please contact the Research Information Technology Office.

Definitions

  1. IT Equipment:  Equipment supporting office automation or the display, processing, storage, or transfer of data.
  2. Removable Media:  Peripheral storage, either permanent or reusable. The latter category includes, but is not limited to, USB flash drives, CDs/DVDs, and external hard drives.

Policy

All IT equipment purchased with University of Dayton funds must be returned to UDit when no longer needed or a need to transfer equipment outside of the originating department exists. Equipment procured after June 2009 requires purchase of asset management and recycling riders. All or portions of the work specified in this policy may, after initial collection and processing by UDit, be accomplished by 3rd parties contractually bound to the data sanitization requirements of this policy.

UDit Technology Support Services (TSS) will move and/or dispose of unnecessary IT equipment after appropriate paperwork has been completed. To request an equipment move or disposal:

  1. Print and complete the equipment change form located at http://www.udayton.edu/udit/_resources/documents/policies/Equipment_Removal_Form.pdf and keep it with the corresponding equipment.
  2. Call the UDit Help Desk (937-229-3888) and place an equipment change request. A TSS representative will contact you via phone within two business days to schedule an appointment for equipment removal.

Functioning IT equipment will be evaluated for redisposition within the UD community or used for replacement parts. Special dispensation may be made for repurposing equipment outside of UD, but requires approval of Purchasing and UDit.

All re-allocated computers and removable media will be cleaned of sensitive data and licensed software before being re-deployed within UD or transferred outside the university for either redisposition or destruction. In cases of intradepartmental transfer, this responsibility falls to that unit’s IT support. Computer hard drives will be erased using software compliant with NIST Special Publication 800-88 standards. In the case this is not possible or not cost effective, hard drives (after removal) and/or removable media will be physically destroyed. Departments may process their own removable media as long as they adhere to the standards approved in this paragraph.

Parties found to have violated this policy may be subject to disciplinary action. Departments that turn in IT equipment that is missing one or more components may be subject to a $50 processing fee.

Reference Documents

  1. ISO 27002 2013 Sec. #8.3,11.2
  2. Equipment Disposal Form
  3. Equipment Move Policy & Fee Schedule
  4. University of Dayton Equipment Disposal Fees for non-supported IT Equipment

Applicable Regulations

  1. Family Educational Rights and Privacy Act (FERPA)
  2. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  3. Payment Card Industry Data Security Standards (PCI DSS)