1. Home
  2.  » 
  3. How To . . .
  4.  » Proper Data Disposal

Proper Data Disposal

Institutional Information Disposal Requirements

Keeping records that no longer need to be maintained under the UC Records Retention Schedule is a security and privacy risk. The less information you keep, the less your likely information will be exploited or stolen.

Electronic Media and Data

The UC Institutional Information Disposal Standard requires that institutional information classified at Protection Level 3 or higher be securely erased before disposing, returning or reusing the media.

UCI offers recommendations for the secure disposal and destruction of media containing institutional information classified as Protection Level P3 or P4.

Choosing the correct disposal method for your device/data

Your device type and the protection level of the information it contains determine the disposal method for your media.

See the table below and match the type of device you want to dispose of with the protection level of the information contained on the media. If you’re not sure what protection level your information requires, refer to the Classification Decision Tree.

Important Notes:

    • When recycling an entire device to resell or give away, we recommend treating it like P3/P4 as it likely contains passwords or browser cookie sessions that could be recovered and used to access your personal information.
    • Inoperable or dead disk drives also need to be destroyed. If you don’t know what data is contained on an inoperable drive, assume it contains P4 data and dispose of it based on the information below.
    • Make sure to physically secure all devices/data until you correctly dispose of them.
    • If you have any questions, contact your Unit Information Security Lead (UISL) or email security@uci.edu, or if you have an OIT-managed device the OIT Help Desk.

 

Device/Data Location Information Protection Level
P1 P2 P3 P4

Hard disk drives (spinning)

Delete

Clear

Secure Erase
or Destroy

Secure Erase
or Destroy

Solid state drives (SSD)

Delete

Clear

Secure Erase
or Destroy

Secure Erase
or Destroy

Logical storage (Cloud, CMS, Database)

Delete

Delete

Cryptographic Erase

Cryptographic Erase

Optical disk (CD/DVD/etc)

Destroy

Destroy Destroy Destroy
Phone/Tablet Delete Clear Secure Erase
or Destroy
Secure Erase
or Destroy
Portable media – (thumb drive, USB stick) Delete Clear Secure Erase
or Destroy
Secure Erase
or Destroy
Portable magnetic media – (tape) Delete Destroy Destroy Destroy
Other embedded storage devices Delete Clear Secure Erase
or Destroy
Secure Erase
or Destroy

Delete

Deleting removes the ability to access the file or data in the operating system, service, etc.

Files/Folders
    • Windows:
      1. Locate the file and/or folder in File Explorer.
      2. Right click and press Delete in the dropdown menu.
      3. This will send the file/folder to the Recycle Bin.
      4. Locate the Recycle Bin on the desktop and double-click to open it.
      5. Find the file/folder and right-click on it.
      6. Press Delete on the dropdown menu.
    • Mac:
      1. Drag the file/folder to the Trash Bin.
      2. Open the trash bin by clicking on it.
      3. Press the Control Button and click on the file/folder to be deleted.
      4. Press the Delete button.

 

Drives
    • Windows:
      1. Open the Disk Management console for Windows.
      2. Select the drive you want to format.
      3. Right click and then click on the Format option.
      4. Enter a volume name and pick the format.
      5. Press OK.
    • Mac:
      1. Open up the Disk Utility console.
      2. Select the drive you want to format and press Erase.
      3. Enter a volume name and pick the format.
      4. Press Erase.

 

Clear

You can use clear disk software or hardware products to overwrite storage space. Clear might include overwriting not only the logical storage location of a file(s) (e.g., file allocation table), but also all addressable locations. Clear also protects against keyboard based or simple non-invasive data recovery techniques.

Note: Clear should only be used for institutional information classified as P2 or lower.

Use a UCI Information Security approved product such as the following to clear your media:

    • Windows – use SDelete
    • Mac OS – use “rm -P” to overwrite the file
    • Linux – use Shred

 

Secure Erase

Secure erase is a data sanitization method where existing data is overwritten by random data, making it indecipherable and forensically unrecoverable. Use one of the following secure erase methods based on the type of media:

    • Not sure what type of drive you have in your computer/laptop?
      • Windows: open the Defragment and Optimize Drives tool (type “defragment” into the search menu in the taskbar)
      • Mac: click the Apple logo and then About this Mac, and select the Storage tab
    • The entry typically says “solid state” or “flash storage” for a solid-state drive (SSD), whereas for a mechanical hard drive it says “hard disk drive.”

 

HDD (Spinning Drive)
    1. Download a DBAN bootable iso image and create a bootable USB.
    2. Insert the drive into your PC, and boot from the USB drive.
    3. Once booted to the main menu, press M and choose “DoD Short.”

NOTE: This method takes many hours depending on the size of the drive.

 

SSD/Hybrid Drive

Most SSD and Hybrid drives have a built-in secure erase command that can be initiated with the manufacturer provided tool. Examples include:

 

Alternatively, your motherboard’s UEFI BIOS may have an option for secure erase of SSD bootdrive, or Windows Diskpart, or the universal Parted Magic, by following the instructions here.  Cryptographic Erase methods also work for SSD.

 

USB/Flash Drives
    • Windows: Download and install the one of these utilities:
      • Roadkill: Select Random data, minimum of 3 passes.
      • Eraser: Select DoD three-pass option.
    • Mac:
      1. Open the Disk Utility app.
      2. Select the drive, then click “Erase.”
      3. Select “Security Options…”
      4. Move the slider control and select the Most Secure option available.

 

Phones & Tablets

Similar to the cryptographic erase method (below), here are some device specific instructions:

 

Cryptographic Erase

Cryptographic erase safely destroys all copies of the decryption key. If all data is adequately encrypted, then once the decryption key is removed the Institutional Information is not recoverable.

For computers, laptops, phones, and tablets, this can be accomplished by performing full disk or entire device encryption, and then perform a factory reset which essentially destroys the decryption key.  Instructions for common devices can be found here.

Logical storage is principally storage used within or by applications, such as databases, content management systems, cloud storage services, etc. An IT Administrator will be required for cryptographic erasure of Institutional Information on logical storage.

 

Destroy

Destroying your media makes the media unusable and renders Institutional Information irretrievable even using specialized recovery techniques. It also results in the subsequent inability to use the media for storage of data.

Shredding the device using equipment that is safely rated to handle either CD/DVD and/or drives is the most common method.  UCI has partnered with Southern California Shredding to provide an annual data disposal day where staff can access secure destruction services for free, and provide a strict chain of custody and certificate of destruction when required.

Incorrect Methods of Data Disposal

Disposing of your data incorrectly leaves traces of data on the media, making it possible to retrieve all the data either in its original format or in a format that can be used to restore the original. Despite what you might find on the internet, the following are some of the methods that are NOT approved for securely disposing of your data.

    • Burning
    • Crushing with an immense weight
    • Degaussing
    • Drilling
    • Hitting with a sledgehammer
    • Immersing in a caustic liquid
    • Saving in a drawer
    • Throwing in a trash can or recycling bin

 

Be sure to follow the recommendations provided and choose the correct disposal method for your device/data.

Paper Record Disposal

Paper documents containing information classified at Protection Level P2 or higher must be securely destroyed before being disposed of so that sensitive information is not disclosed and cannot be reconstructed.

Approved UCI methods for paper document destruction include:

    • Using a cross-cut shredder
    • Use a UCI approved shredding company such as Iron Mountain

Important: All documents must be kept in secure storage areas or containers until they are destroyed. Iron Mountain can provide a variety of secure containers when using their paper shredding services and can provide a certificate of destruction if needed.

Make sure you consult the UC Records Retention Schedule before destroying or shredding the records.

Review the Records Management details for additional information.

Donating Devices

After you have properly disposed of data as described above and no longer need the device, consider sending department surplus and e-waste equipment to UCI Equipment Management, where Peter’s Exchange can resell or recycle it.