Institutional Information Disposal Requirements

Keeping records that no longer need to be maintained under the UC Records Retention Schedule is a security and privacy risk. The less information you keep, the less your likely information will be exploited or stolen.

Electronic Media and Data

The UC Institutional Information Disposal Standard requires that institutional information classified at Protection Level 3 or higher be securely erased before disposing, returning or reusing the media.

UC Irvine IT offers recommendations and services for the secure disposal and destruction of media containing institutional information classified as Protection Level P3 or P4.

Choosing the correct disposal method for your device/data

Your device type and the protection level of the information it contains determine the disposal method for your media.

See the table below and match the type of device you want to dispose of with the protection level of the information contained on the media. If you’re not sure what protection level your information requires, refer to the Classification Decision Tree.

Important: Inoperable or dead disk drives also need to be destroyed. If you don’t know what data is contained on an inoperable drive, assume it contains P4 data and dispose of it based on the information below.

Device/Data Location Information Protection Level
P1 P2 P3 P4

Hard disk drives

Delete

Clear

Secure Erase 
or Destroy

Secure Erase 
or Destroy

Solid state drives (SSD)

Delete

Clear

Secure Erase 
or Destroy

Secure Erase 
or Destroy

Logical storage (Cloud, CMS, Database)

Delete

Delete

Cryptographic Erase1

Cryptographic Erase1

Optical disk

Destroy

Destroy

Destroy

Destroy

Other embedded storage devices

Delete

Clear

Secure Erase 
or Destroy

Secure Erase 
or Destroy

Portable media - (thumb drive, USB stick)

Delete

Clear

Secure Erase 
or Destroy

Secure Erase 
or Destroy

Portable magnetic media – (tape)

Delete

Destroy

Destroy

Destroy

Clear

You can use clear disk software or hardware products to overwrite storage space. Clear might include overwriting not only the logical storage location of a file(s) (e.g., file allocation table), but also all addressable locations. Clear also protects against keyboard based or simple non-invasive data recovery techniques.

Note: Clear should only be used for institutional information classified as P2 or lower.

Use a UCI Information Security approved product such as the following to clear your media:

  • Windows - use SDelete
  • Mac OS - use "rm -P" to overwrite the file
  • Linux - use Shred

Cryptographic Erase 

Cryptographic erase safely destroys all copies of the decryption key. If all data is adequately encrypted, then once the decryption key is removed the Institutional Information is not recoverable. 

1Logical storage is principally storage used within or by applications, such as databases, content management systems, cloud storage services, etc. An IT Administrator will be required for cryptographic erasure of Institutional Information on logical storage.

Secure Erase

Secure erase is a data sanitization method where existing data is overwritten by random data, making it indecipherable. Use one of the following secure erase methods based on the type of media:

SSD/Hybrid Drive

Most SSD and Hybrid drives have a built-in secure erase command that can be initiated with the manufacturer provided tool. Examples include:

HDD (Spinning Drive)
  1. Download a DBAN bootable iso image and create a bootable USB. 
  2. Insert the drive into your PC, and boot from the USB drive.
  3. Once booted to the main menu, press M and choose "DoD Short."

NOTE: This method takes many hours depending on the size of the drive.

USB/Flash Drives
  • Windows: Download and install the one of these utilities:
    • Roadkill: Select Random data, minimum of 3 passes.
    • Eraser: Select DoD three-pass option.
  • Mac:
    1. Open the Disk Utility app.
    2. Select the drive, then click “Erase.”
    3. Select “Security Options…”
    4. Move the slider control and select the Most Secure option available.

Delete

Deleting removes the ability to access the file or data in the operating system, service, etc.

Files/Folders
  • Windows
    1. Locate the file and/or folder in File Explorer.
    2. Right click and press Delete in the dropdown menu.
    3. This will send the file/folder to the Recycle Bin.
    4. Locate the Recycle Bin on the desktop and double-click to open it.
    5. Find the file/folder and right-click on it. 
    6. Press Delete on the dropdown menu.
  • Mac
    1. Drag the file/folder to the Trash Bin.
    2. Open the trash bin by clicking on it.
    3. Press the Control Button and click on the file/folder to be deleted.
    4. Press the Delete button.
Drives
  • Windows:
    1. Open the Disk Management console for Windows.
    2. Select the drive you want to format.
    3. Right click and then click on the Format option.
    4. Enter a volume name and pick the format.
    5. Press OK.
  • Mac:
    1. Open up the Disk Utility console.
    2. Select the drive you want to format and press Erase.
    3. Enter a volume name and pick the format.
    4. Press Erase.

Destroy

Destroying your media makes the media unusable and renders Institutional Information irretrievable even using specialized recovery techniques. It also results in the subsequent inability to use the media for storage of data.

UCI Information Security has partnered with Iron Mountain to provide secure destruction services. Iron Mountain's destruction service maintains a strict chain of custody and provides a certificate of destruction when required.

 

Incorrect Methods of Data Disposal

Disposing of your data incorrectly leaves traces of data on the media, making it possible to retrieve all the data either in its original format or in a format that can be used to restore the original. Despite what you might find on the internet, the following are some of the methods that are NOT approved for securely disposing of your data.

  • Burning
  • Crushing with an immense weight
  • Degaussing
  • Drilling
  • Hitting with a sledgehammer
  • Immersing in a caustic liquid
  • Saving in a drawer
  • Throwing in a trash can or recycling bin

Be sure to follow the recommendations provided and choose the correct disposal method for your device/data.

Paper Record Disposal

Paper documents containing information classified at Protection Level P2 or higher must be securely destroyed before being disposed of so that sensitive information is not disclosed and cannot be reconstructed.

Approved UCI methods for paper document destruction include:

  • Using a cross-cut shredder
  • Use a UCI approved shredding company such as Iron Mountain

All documents must be kept in secure storage areas or containers until they are destroyed. Iron Mountain can provide a variety of secure containers when using their paper shredding services and can provide a certificate of destruction if needed.

Make sure you consult the UC Records Retention Schedule before destroying or shredding the records.

Review the Records Management details for additional information.

Questions? 

Contact your Unit Information Security Lead (UISL) or email security@uci.edu for further assistance.