It is important to know who can access the data, the appropriate places to store the data, how to securely dispose of the data, and how to report a breach or compromise of sensitive university data. The following information addresses faculty and staff responsibilities related to the handling and storage of university data.
To assist faculty and staff in reducing their risk, the Information Security Office has developed a sensitive data checklist. This "low tech" way of cleaning up data will not only reduce risk for faculty, departments, and the university at large, it will help in getting rid of old data that is taking up space on computers all over campus. Print your checklist below.
Records retention has always been about as fun as going to the dentist: you don’t want to do it, but it’s necessary for your well-being. Some believe that they should archive, anything and everything forever, just to be on the safe side. But that's not quite right either. In records-retention land, there is no "safe side." Keeping too much information is a risk too. If you retain a record for too long, it's very expensive, you expose yourself and the university to litigation risks, and you might even be violating privacy rights.
It is important to properly handle data erasure and disposal of electronic media (e.g. PCs, CDs, USB drives) in order to protect restricted and sensitive data from accidental disclosure. Before discarding your computer or portable storage devices, you need to be sure that data has been completely erased.
- Read/writable media (including your hard drive) should be wiped using Department of Defense compliant software, which can be downloaded at no cost.
- Shred CDs and DVDs. This type of media should be physically destroyed.
- Media that does not have a need to be re-used or contains sensitive or private data that cannot be wiped should be physically destroyed.
- FTC's Protecting Personal Information: A Guide for Business provides tips on how to properly dispose of your data.
Copiers are smart machines that can do the obvious, copy, but can also print, scan, fax, and email documents. Copiers require hard disk drives to manage the many jobs they receive; but did you know that the copier’s hard drive also stores all of the data that goes through it? If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.
- The FTC’s Digital Copier Data Security: A Guide for Businesses includes everything you need to know about copiers and their data.
- For UA policies regarding disposal of university property see the Surplus Property - Program Information page.
While it is always important to be mindful of data/physical security for computing devices, it is especially important to safeguard this type of equipment during office renovations, moves, travel, or disposal of devices. These types of events have the potential to create scenarios when there is a higher risk for computer and identity theft.
- UA InfoSec's Safeguarding Computer Equipment During Office Moves and Renovations explains why you are more at risk and what you can do to lower that risk.
University departments are responsible for securely disposing of or destroying any media that has ever held, stored, or transmitted sensitive university data. In most cases, simply deleting data files from a device is insufficient in meeting the obligation to protect University data from unauthorized disclosure.
When disposing of any data, it is best to play it safe and treat it as though it contained sensitive information. Consult with your IT staff for your best options.