Policy on Secure Disposal of IT Equipment and Information. 1. Information Security Working Group 2. CIO



Similar documents
Portable Devices and Removable Media Acceptable Use Policy v1.0

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

The guidance applies to all records, regardless of the medium in which they are held, including , spreadsheets, databases and paper files.

Data storage, collaboration, backup, transfer and encryption

INFORMATION SECURITY POLICY

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Information Security Policy London Borough of Barnet

Information Technology Acceptable Usage Policy

Storage, backup, transfer, encryption of data

IT Data Security Policy

Policy for the Re-use and Disposal of Computers, other IT Equipment and Data Storage Media

Newcastle University Information Security Procedures Version 3

Guidance on Personal Data Erasure and Anonymisation 1

Storing and securing your data

SECURITY POLICY REMOTE WORKING

So the security measures you put in place should seek to ensure that:

Highland Council Information Security Policy

Records Management Policy & Guidance

Legal and statutory obligations, in particular under the Data Protection Act, will be followed, whatever the protective marking used.

SOAS Controlled Procedure CP-PP06 IT Asset Management Procedure

Caedmon College Whitby

Version: 2.0. Effective From: 28/11/2014

Data Transfer Policy London Borough of Barnet

Acceptable Use of Information Systems Standard. Guidance for all staff

Secure Storage, Communication & Transportation of Personal Information Policy Disclaimer:

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

UNIVERSITY OF MASSACHUSETTS RECORD MANAGEMENT, RETENTION AND DISPOSITION POLICY

Data Security Policy

Grasmere Primary School Asset Management Policy

University of Liverpool

Remote Access and Home Working Policy London Borough of Barnet

NHS Information Governance:

Secure Mobile Shredding and. Solutions

Burton Hospitals NHS Foundation Trust. On: 16 January Review Date: December Corporate / Directorate. Department Responsible for Review:

INFORMATION SECURITY GUIDELINES

Summary Electronic Information Security Policy

Storing and securing your data

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

MOBILE DEVICE SECURITY POLICY

Virginia Commonwealth University School of Medicine Information Security Standard

Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June Secure Research Database Analyst. Change History. 1 Version 1.

IFRS FOUNDATION DOCUMENT RETENTION AND DESTRUCTION POLICY

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

2.2 Access to ICT resources at the Belfast Metropolitan College is a privilege, not a right, and all users must act honestly and responsibly.

Abertay Data Storage Policy

Information Security Policy. Appendix B. Secure Transfer of Information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Appendices Device Destruction/ Disposal process 7

Records Management. 1. Introduction. 2. Strategic Plan Desired Outcomes

CITY UNIVERSITY OF HONG KONG. Information Classification and

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Data and Information Security Policy

Guidelines on Digital Forensic Procedures for OLAF Staff

Corporate Information Security Management Policy

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY

Destruction and Disposal of Sensitive Data

Policy Document RECORDS MANAGEMENT POLICY

Information Security Policy for Associates and Contractors

University of Aberdeen Information Security Policy

DATA PROTECTION AND DATA STORAGE POLICY

Introducing OneDrive for Business

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Scope and Explanation

Data Protection Policy

Administrative Procedure

Information Security

ABERDARE COMMUNITY SCHOOL

MANAGEMENT OF USER ACCOUNTS AND PASSWORD POLICY AUGUST Version 2.0

Information Security Policies. Version 6.1

SECURITY POLICIES AND PROCEDURES

Records Management Policy

Information Security Incident Management Policy

Managing Records: Retention, Destruction and Disposal

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

HSCIC Audit of Data Sharing Activities:

A practical guide to IT security

Information Security Policy

Safe Haven Policy. Equality & Diversity Statement:

Rotherham CCG Network Security Policy V2.0

Acceptable Use Guidelines

University of Essex Automatic Number Plate Recognition (ANPR) Policy

Mike Casey Director of IT

Human Resources Policy documents. Data Protection Policy

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

Harper Adams University College. Information Security Policy

IT06 - Information Technology (IT) Hardware and Software Policy

Data Protection Procedures

RECORDS MANAGEMENT POLICY

PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS

How To Protect Decd Information From Harm

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

Transcription:

Policy on Secure Disposal of IT Equipment and Information v1.0 Organisation Title Creator Approvals Required Oxford Brookes University Policy on Secure Disposal of IT Equipment and Information Information Security Working Group 1. Information Security Working Group 2. CIO 3. Executive Board Version Version 1.0 Owner Subject Rights Review date and Responsibility Executive Board The formal University policy on the secure disposal of IT equipment and information Public Annually by Information Security Working Group 1. Introduction The University holds and processes a large amount of information and is required to protect that information in line with relevant legislation and in conformity with University regulations and policies such as the Information Security Policy[link], the Data Protection Policy[link] and the Records Management Policy[link]. This policy sets out the requirements for staff on the secure disposal of the University s IT equipment and information. 2. Definitions 2.1 Secure Disposal Secure disposal means the process and outcome by which information including information held on IT equipment is irretrievably destroyed in a manner which maintains the security of the equipment and information during the process and up to the point of irretrievable destruction. 2.2 IT Equipment

IT equipment means all equipment purchased by or provided by the University to store or process information including but not necessarily limited to desktop computers, servers, printers, copiers, laptops, tablet computers, electronic notebooks, mobile telephones, digital recorders, cameras, USB sticks, DVDs, CDs and other portable devices and removable media. 2.3 Information 2.3.1 Information means all information and data held or recorded electronically on IT equipment or manually held or recorded on paper. 2.3.2 For the purpose of this policy, the information held by the University can be divided into two categories: non sensitive; and sensitive information. Sensitive information comprises: all personal information and all confidential information, the loss of which would, or would be likely to, cause damage or distress to individuals or to the University. 2.3.3 The default category is that all information is deemed to be sensitive unless specifically identified as otherwise. 3. Responsibilities 3.1 It is the responsibility of all University staff to ensure that the information held by the University is disposed of appropriately and that all sensitive information is disposed of securely. 3.2 Responsibility for this policy resides with the University s Executive Board. Implementation of this policy is managed through the University s Information Security Working Group which reports to the Chief Information Officer. 4. Statement of Policy 4.1 This policy on disposal covers all data or information held by the University whether held digitally or electronically on IT equipment or as manual records held on paper or in hard copy. 4.2 It is the University s policy to ensure that all information held by the University is disposed of appropriately, in conformity with the University s legal obligations and in accordance with the University s regulations[link] and Records Management policy[link]. 4.3 In particular it is the University s policy to ensure that all sensitive information which requires disposal is disposed of securely. 4.4 Where information is held on IT equipment, it is the policy of the University that such equipment will be assumed to hold sensitive information and that all information residing on such equipment must be disposed of securely.

4.5 The University supports policies which promote sustainability and take account of environmental impact. The University will therefore support recycling or sustainable redeployment in the disposal of IT equipment as long as information held on the equipment is irretrievably and securely destroyed prior to the the disposal of the equipment. 4.6 WEEE: IT equipment must also be disposed of in line with the EU Waste Electrical and Electronic Equipment (WEEE) Directive and the UK Waste Electrical and Electronic Equipment Regulations 2006. [Link www.brookes.ac.uk/documents/about/sustainability/en103w2/] 4.7 Copyright: software must be disposed of in line with copyright legislation and software licensing provisions. 5. Policy Principles 5.1 Hard copy 5.1.1 Information and data held in paper or hard copy which contain sensitive information shall be irretrievably destroyed in a way in which the information cannot be reconstituted, by shredding, pulping or incineration. 5.1.2 The process leading to and the process of shredding, pulping or incinerating such information shall be carried out securely. 5.1.3 Where the shredding or incineration are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences: a) that party s obligations to keep that data confidential and; b) that party s responsibility under the Data Protection Act 1998 for the secure disposal of the data. 5.1.4 Where hard copy information is stored externally by a third party data storage contractor, the contract shall ensure secure disposal of the data at a time which conforms with the University s Retention Schedule[link]. 5.2 IT Equipment 5.2.1 Since the policy default is that all IT equipment which stores or processes data will be deemed to hold sensitive data, then all such IT equipment will undergo appropriate physical destruction or an appropriate data overwrite procedure which irretrievably destroys any data or information held on that equipment.

5.2.2 Where an overwrite procedure fails to destroy the information irretrievably, the equipment shall be physically destroyed to the extent that the information contained in it is also irretrievably destroyed. 5.2.3 For the avoidance of doubt, removable digital media including but not limited to CDs, DVDs, USB drives, where the default is that they contain sensitive data, shall, if not successfully overwritten, be physically destroyed to the extent that all data contained in the media are irretrievable. 5.2.4 All IT equipment awaiting disposal must be stored and handled securely. 5.2.5 Where the overwriting procedure and/or physical destruction of IT equipment are carried out on behalf of the University by a third party, there shall be a contract with that third party which appropriately evidences: that party s obligations to keep that data confidential and; that party s responsibility under the Data Protection Act 1998 for the secure disposal of the data. 5.2.6 In any case where IT equipment is to be passed on by the University for re use, those staff involved in the sale or transfer of the equipment shall ensure that any information on the equipment has been irretrievably destroyed and that any other appropriate issues, including, but not limited to, the safety of the equipment are satisfactorily addressed. 5.2.7 Photocopiers and printers used or owned by the University may have a data storage capacity. Where such IT equipment contains information or data, the disposal of such equipment must have due regard to this policy. 5.3 Online Data 5.3.1 The University has a contract with Google for the use of its Google Apps for Education. This enables University staff to take advantage of the features provided for data storage of emails and documents. The University does not sanction the use of external online (cloud) services for University data where there is no contract in place. 5.3.2 Data held in the University s Google applications or other authorised online storage applications should be destroyed to the extent possible by using the delete facilities provided. 6 Record of Destruction 6.1 Any third party contracted to dispose of sensitive hard copy information shall certify the irretrievable destruction of the information. 6.2 University staff who have responsibility for the information which is disposed of shall ensure that the disposal conforms with the University s Records Management policy[link] and Retention Schedule[link] and that, where necessary, a record is kept documenting the disposal.

6.3 Where the disposal involves the disposal of IT equipment, the University shall keep a record of the asset number of the equipment which has been disposed of along with a record of the process by which the information stored on the equipment has been irretrievably destroyed. 7 Reporting 7.1 All staff, students and other users of information should report immediately to the Service Desk via the Servicedesk portal https://service.brookes.ac.uk or by telephone (tel. ext. 3311) any observed or suspected incidents where sensitive information has or may have been insecurely disposed of. 8 Advice and Assistance 8.1 Advice on the implementation of this policy can be obtained from the University Information Compliance Officer (tel. ext. 4354: email address info.sec.@brookes.ac.uk) and the University Records Manager (tel. ext. 4046: email address dept_ric.addressbook@brookes.ac.uk) 8. 2 Advice on the disposal of IT equipment can be obtained from the University s IT department, OBIS, by contacting the Service Desk on tel. ext 3311 or via the Servicedesk portal https://service.brookes.ac.uk 9 Guidelines 9.1 Hard Copy 9.1.1 Staff holding University data in hard copy should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the business purpose for which it was originally created or held. In determining whether and when the data should be disposed of, staff should consult the University s Retention Schedule obis.brookes.ac.uk/records/retention%20schedule%201c.doc Further information can be obtained from the University Records Manager. 9.1.2 It is good practice to shred, pulp or incinerate all University data which requires destruction. Where hard copy waste is sensitive data (as defined in 2.3.2) it should always be securely and irretrievably destroyed by shredding, pulping or incineration. In order to ensure the secure and irretrievable destruction of hard copy, staff are required to use the service provided by the University s selected contractor for the destruction of confidential waste. 9.1.3 Confidential waste bags for information requiring secure destruction can be obtained from Campus Services which will collect the bags when they are ready for disposal. Bags which

contain confidential waste should be sealed and kept secure until collected by Campus Services. 9.1.4 Confidential waste bags awaiting collection or further processing should not be left in public areas or areas where they can be accessed by unauthorised staff. 9.1.5 Where sensitive data are stored under contract externally, staff responsible for the contract should ensure the contract includes secure, certificated destruction of the data in accordance with the appropriate retention period. External storage and destruction of University data should not be arranged without reference to the University Records Manager. 9.1.6 Where staff consider a document is of sufficient historic importance to be retained by the University, they should consult the University Archivist. 9.2 IT Equipment 9.2.1 Staff holding University data on IT equipment should routinely dispose of the data when it is no longer required to be held for legal or contractual purposes or is no longer necessary for the business purpose for which it was originally created or held. In determining whether and when the data should be disposed of, staff should consult the University s Retention Schedule [link obis.brookes.ac.uk/records/retention%20schedule%201c.doc]. Further information can be obtained from the University Records Manager (tel. ext. 4046: email address dept_ric.addressbook@brookes.ac.uk) 9.2.2 Where a decision has been made that data held on IT devices or media should not be retained, the files containing the data should be deleted from those devices. Deletion involves putting the information beyond use by the user of the device or media. Data held in a recycling bin on the device or data which can easily be recovered by the user are not regarded as being beyond use and may still be subject to discovery and disclosure under information law (Freedom of Information, Subject Access Request) or litigation. 9.2.3 Staff shall never dispose of University IT equipment (devices or media) without taking steps to ensure the irretrievable deletion of data held on the equipment. 9.2.4 Electronic or digital data which have been put beyond use by users may still be reconstituted by IT specialists or by forensic computer analysts. This means that when IT equipment (devices or media) are disposed of, the data should be irretrievably destroyed by being overwritten in accordance with the appropriate industry standard, or the hard disc containing the data within the equipment or the media containing the data (e.g. CD, USB stick) should be physically destroyed.

The University has some shredding machines available which can destroy CDs and DVDs as well as shred hard copy. 9.2.5 Staff requiring the disposal of IT equipment which holds or may hold University data should contact the Service Desk via the Servicedesk portal https://service.brookes.ac.uk (tel ext. 3311) to arrange for the disposal. 9.2.6 Staff should also be mindful that University mobile telephones contain data which will need to be extracted or deleted from the device before the device is disposed of. The telephone should be returned to the Service Desk should be contacted to initiate the secure return and disposal of the device. 9.2.7 While the University supports the recycling or sustainable redeployment of IT equipment, University staff shall not arrange for such a process without consulting the OBIS Client Device Support Manager contacted via the service desk via the Servicedesk portal https://service.brookes.ac.uk (tel. ext. 3311), obtaining appropriate authority from OBIS for the proposed recycling and ensuring that any data held on the equipment are securely and irretrievably destroyed. 9.2.8 Where University staff are leasing equipment (such as multi functional copiers), staff responsible for the contracts should ensure that the leasing contract certifies the secure disposal of any University data held on the devices during the period of lease. 9.2.9 When disposing of IT equipment, staff must be mindful of the WEEE regulations. [Link http://www.brookes.ac.uk/about/sustainability/docs/en103w2.pdf] 9.3 Online data 9.3.1 Staff using the delete facility provided by Google in the University s online Google applications should be aware that the deleted material will be held for 30 days in their online bin. Such data will not be regarded as beyond use until it has been further deleted from the bin. 9.3.2 Online data held in Google accounts provided to staff by the University for the purpose of their employment are not automatically deleted when staff leave the University. These accounts are deactivated and access to the data retained for any necessary business purpose. Prior to leaving the University, staff should, wherever possible, ensure the appropriate management and handover of the University data in their accounts, deleting from their accounts data which are no longer required by the University.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information