Policy for the Re-use and Disposal of Computers, other IT Equipment and Data Storage Media

Transcription

1 Policy for the Re-use and Disposal of Computers, other IT Equipment and Data Storage Media The University has legal obligations to ensure that all computers, IT equipment, and data storage media (e.g. USB drives, DVDs, CDs, etc.) including the data and software held upon such equipment, are disposed of appropriately and legally. Equipment must be disposed of in line with the EU Waste Electrical and Electronic Equipment (WEEE) Directive; data in line with the Data Protection Act 1998, the University s Data Protection Policy and information security considerations of the University; and software in line with copyright legislation and software licensing provisions. To this end, members of the University must follow this policy for reuse and disposal of computers and IT equipment. This policy compliments the University Purchasing Policy on the specific re-use and disposal of IT equipment, as distinct from general equipment. This policy augments the key clause of the Purchasing Policy, but strengthens provisions required for data and software stored on IT equipment. Where goods are deemed by a Department to be surplus to requirements, details should first be circulated widely within the University. Such items may be transferred to another Department, at an agreed assessed value. If no interest is shown by other Departments, alternative arrangements for disposal should be made. These may include disposal to individuals or outside bodies. In this event, it is essential that items are properly valued at their full market price and all arrangements carefully documented, with invoicing and payment arranged via the Finance Office. If all attempts at disposal fail, the item should be scrapped. Exceptionally, if an item is declared to be scrap, it may be donated (obsolete scientific equipment may be of interest to schools, for example). Again, action must be carefully documented and the Finance Office kept fully informed, using the form attached as Annex D. Contents 1. Inclusions and exclusions 2. Options for the 'disposal' of IT equipment 3. Removal of data and software a. When a computer is being redeployed within the University b. When a computer is being sold to a member of the University or donated to an outside body c. When a computer is being scrapped d. Secure erasure of data/software from hard disks and other data storage media 4. Sale to a member of the University or sale/donation to an outside body 5. Disposal in an environmentally-friendly manner 6. Compliance

2 7. Updating equipment records 8. Acknowledgements 1. Inclusions and Exclusions All computer and IT equipment purchased by or on behalf of Bangor University is covered by this policy. This includes end-user equipment such as computers, monitors, TFT screens, laptops, smart phones, PDAs, Blackberries etc. and any other server or device which stores data, and/or has University licensed software installed upon it. The policy also covers all computer and data storage media used in the University s business e.g. CDs, DVDs, Flash drives/memory sticks, external hard drives, tapes etc. Disposal of photocopiers (some of which have data storage capacities) is separately covered under the photocopier agreement, and should be co-ordinated through the Finance Purchasing team. 2. Options for the re-use and disposal of IT equipment When equipment becomes redundant from its original use, the following options, listed in order of priority, should be considered: 1. Redeployment within the University 2. Sale to members of the University 3. Sale to outside bodies 4. Donation to a charitable or community organisation 5. Disposal in a secure and environmentally-friendly manner In cases 1-4 above, appropriate steps must be taken with regard to: the removal or retention of data and software In cases 2-4, the additional provisions of section 4 with respect to the sale/donation Sale to a member of the University or sale/donation to an outside body and, in all cases, to the updating of equipment records as described in the following sections. 3. Removal of data and software The removal and destruction of data prior to disposal is the responsibility of the organisational unit (i.e. college, school, department, etc) to whom the computer or data storage media belongs. Care must be taken not only to meet the requirements of Confidentiality Agreements, Third Party Contracts, the Data Protection and Copyright, Designs & Patents Acts and commercial sensitivity but must also to recognise that the release of data not covered by these acts may still

3 give rise to embarrassment for the University or damage to its business, if found by third parties. When a computer is being redeployed within the University: Data removal or transfer The original user should remove all data from the computer, unless the recipient has a business requirement for the transfer of some data with the computer. If any data are to be transferred with the computer, the original owner must ensure that he or she has the authority to transfer ownership of the data to the recipient and that any special terms under which the data are being held continue to be met. If the data being removed are sensitive (which, in the Data Protection Act, is defined as personal information related to such things as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life and criminal convictions), the disk should be reformatted, a secure wipe of the disk carried out with appropriate utility software - see section on Secure erasure below - and the operating system re-installed. In some cases it may be appropriate to install an updated version of the operating system (e.g. Windows XP in place of Windows 98). Contact ITS for advice on this. The Registrar s office can provide further advice on the Data Protection Act Software removal or transfer Only those items of software may be retained for which the University holds a licence and where that licence is being transferred to the new user; all other items of software must be removed. Software licence records must be updated accordingly and licence paperwork transferred appropriately - see section on Updating equipment records below. When a computer is being sold to a member of the University or donated to an outside body: Sale or donation of equipment should only be considered where the organisational unit has the resources to prepare the equipment suitably carrying out the secure erasure of data and software. All data and software must be removed. The most secure way to do this is by reformatting the hard disc and using the Secure erasure procedures described below, prior to reinstalling the original operating system and any bundled software that was originally provided with the system.

4 Under no account should any University-licensed software be distributed to a third party. When a computer is being scrapped: Equipment should be scrapped using the external disposal service coordinated by IT Services - see section on Disposal in an environmentallyfriendly manner below. This service provides for the secure destruction of equipment to a state where data recovery would be impossible, and provides the required records to the University in order to evidence the process. Prior removal of data and software is therefore not essential. Secure erasure of data/software from hard disks and other data storage media To ensure data are erased securely (i.e. cannot be recovered in whole or part using data recovery tools and techniques), all data areas on the disk/media must be overwritten. Re-formatting the hard disk/media is not sufficient for this. A specialised "disk wiping" utility to erase the entire contents of the disk must also be run. Where a computer is being re-used within the University, arrange for secure erasure of data and software, and configuration of the equipment for the new user by contacting the IT Services Helpdesk on helpdesk@bangor.ac.uk or ( ) IT Services will advise on appropriate processes for secure erasure of data/software on equipment destined for sale or donation, and plans to be able to offer this service. Where data storage media CDs/DVDs/Memory sticks/obsolete software disks are to be disposed of, they should be delivered to the IT Services helpdesk clearly marked For Secure Disposal 4. Sale to a member of the University or donation to an outside body Where equipment is being sold to a member of the University or donated for use by an outside body: Data and software must be removed from computers, as described in the preceding section. The equipment must be checked for health and safety the equipment must pass a visual safety check and PAT (Portable Appliance Test) test, both of which must de documented (see Updating Equipment Records) The value of the equipment to be sold should be calculated according to the following formula purchase price less 1/5 th of the purchase price multiplied by the age of the machine VAT must always be added (e.g. a 3 year old PC and screen costing 500 initially would be sold for 500- ( 100*3)= 200+VAT). The minimum sale value for a computer and screen in working order is considered to be 100. The asset disposal limits outlined in the University Financial Regulations should be adhered to

5 Donations must only be made to registered charities or community organisations such as schools, voluntary groups etc. The donation and recipient organisation must be approved by the college, school or department Care must be taken to ensure that the recipient is aware that the University makes no guarantee as to the safety, suitability or performance of this equipment and has no further responsibility towards the maintenance or upkeep of the equipment. The following form of words has been approved by the University Legal Advisor: Buyers are advised to inspect the goods in order to satisfy themselves, specifically with regard to safety and as to the fitness for purpose of the equipment. Whilst the Bangor University has made reasonable efforts to ensure the safety of the equipment, it makes no guarantee as to the safety, suitability or performance of this equipment and will accept no responsibility for injury, damage or loss relating to the supply or operation of the equipment, save for death or personal injury caused by negligence or for fraud. Where the item is sold, the sales invoice must specifically identify the equipment, for example, make, model and serial number. Further, credit should not be given before the equipment is removed, and the invoice should be paid before its removal and a signed collection receipt obtained from the buyer acknowledging that they have taken possession. Equipment records must be updated accordingly - see section on Updating equipment records below The Finance off can be contacted for for further advice on financial and legal matters pertaining to any sale. 5. Disposal in an environmentally-friendly manner Where equipment is to be disposed of and scrapped, the University is obliged to ensure this is done in a manner which complies with the EU Waste Electrical and Electronic Equipment (WEEE) Directive. The Directive aims to reduce the quantity of waste from electrical and electronic equipment and increase re-use, recovery and recycling. To arrange for disposal and scrapping of redundant equipment: For portable equipment (PDA s smartphones, laptops etc.) and portable data storage media (CDs/DVDs/memory sticks etc), hand-in to the IT Services Support Centre within Adeilad Deiniol For non-portable equipment (computers, servers etc.) ring or the IT Services Helpdesk IT Services will inspect equipment, re-use any appropriate equipment, and arrange collection and disposal of remaining equipment through the University s approved disposal contract.

6 6. Compliance The University has significant obligations in respect to disposal and re-use of IT equipment, under Confidentiality Agreements, Third Party Contracts, the Data Protection Policy and software licensing conditions. Failure to comply with this policy will be referred through the University disciplinary process. 7. Updating equipment records In all cases, details of the transfer or disposal of the equipment must be recorded. This should be done in the appropriate Equipment Database or Inventory, maintained by the organisational unit within the University to which the equipment belongs. These details should include: reason for transfer/disposal, to whom ownership has been transferred/sold or to whom equipment has been passed for disposal, the sales invoice, the date of transfer/disposal, and health and safety checks as per this policy. 8. Acknowledgements Bangor University wishes to acknowledge and thank the University of Aberdeen for allowing the University of Aberdeen guidelines on the Disposal of Computing and IT Equipment to be used and modified to form this policy for Bangor University.