Institutional Information Disposal Requirements
Keeping records that no longer need to be maintained under the UC Records Retention Schedule is a security and privacy risk. The less information you keep, the less your likely information will be exploited or stolen.
Electronic Media and Data
The UC Institutional Information Disposal Standard requires that institutional information classified at Protection Level 3 or higher be securely erased before disposing, returning or reusing the media.
UC Irvine IT offers recommendations and services for the secure disposal and destruction of media containing institutional information classified as Protection Level P3 or P4.
Your device type and the protection level of the information it contains determine the disposal method for your media.
See the table below and match the type of device you want to dispose of with the protection level of the information contained on the media. If you’re not sure what protection level your information requires, refer to the Classification Decision Tree.
Important: Inoperable or dead disk drives also need to be destroyed. If you don’t know what data is contained on an inoperable drive, assume it contains P4 data and dispose of it based on the information below.
|Device/Data Location||Information Protection Level|
Hard disk drives
Solid state drives (SSD)
Logical storage (Cloud, CMS, Database)
|Other embedded storage devices|
|Portable media - (thumb drive, USB stick)|
|Portable magnetic media – (tape)|
You can use clear disk software or hardware products to overwrite storage space. Clear might include overwriting not only the logical storage location of a file(s) (e.g., file allocation table), but also all addressable locations. Clear also protects against keyboard based or simple non-invasive data recovery techniques.
Note: Clear should only be used for institutional information classified as P2 or lower.
Use a UCI Information Security approved product such as the following to clear your media:
Cryptographic erase safely destroys all copies of the decryption key. If all data is adequately encrypted, then once the decryption key is removed the Institutional Information is not recoverable.
1Logical storage is principally storage used within or by applications, such as databases, content management systems, cloud storage services, etc. An IT Administrator will be required for cryptographic erasure of Institutional Information on logical storage.
Secure erase is a data sanitization method where existing data is overwritten by random data, making it indecipherable. Use one of the following secure erase methods based on the type of media:
Most SSD and Hybrid drives have a built-in secure erase command that can be initiated with the manufacturer provided tool. Examples include:
- Western Digital
- Adata: ADATA SSD Toolbox
- Kingston: Kingston® SSD Manager
HDD (Spinning Drive)
- Download a DBAN bootable iso image and create a bootable USB.
- Insert the drive into your PC, and boot from the USB drive.
- Once booted to the main menu, press M and choose "DoD Short."
- Windows: Download and install the one of these utilities:
- Open the Disk Utility app.
- Select the drive, then click “Erase.”
- Select “Security Options…”
- Move the slider control and select the Most Secure option available.
Deleting removes the ability to access the file or data in the operating system, service, etc.
- Locate the file and/or folder in File Explorer.
- Right click and press Delete in the dropdown menu.
- This will send the file/folder to the Recycle Bin.
- Locate the Recycle Bin on the desktop and double-click to open it.
- Find the file/folder and right-click on it.
- Press Delete on the dropdown menu.
- Drag the file/folder to the Trash Bin.
- Open the trash bin by clicking on it.
- Press the Control Button and click on the file/folder to be deleted.
- Press the Delete button.
- Open the Disk Management console for Windows.
- Select the drive you want to format.
- Right click and then click on the Format option.
- Enter a volume name and pick the format.
- Press OK.
- Open up the Disk Utility console.
- Select the drive you want to format and press Erase.
- Enter a volume name and pick the format.
- Press Erase.
UCI Information Security has partnered with Iron Mountain to provide secure destruction services. Iron Mountain's destruction service maintains a strict chain of custody and provides a certificate of destruction when required.
Incorrect Methods of Data Disposal
Disposing of your data incorrectly leaves traces of data on the media, making it possible to retrieve all the data either in its original format or in a format that can be used to restore the original. Despite what you might find on the internet, the following are some of the methods that are NOT approved for securely disposing of your data.
- Crushing with an immense weight
- Hitting with a sledgehammer
- Immersing in a caustic liquid
- Saving in a drawer
- Throwing in a trash can or recycling bin
Be sure to follow the recommendations provided and choose the correct disposal method for your device/data.
Paper Record Disposal
Paper documents containing information classified at Protection Level P2 or higher must be securely destroyed before being disposed of so that sensitive information is not disclosed and cannot be reconstructed.
Approved UCI methods for paper document destruction include:
- Using a cross-cut shredder
- Use a UCI approved shredding company such as Iron Mountain
All documents must be kept in secure storage areas or containers until they are destroyed. Iron Mountain can provide a variety of secure containers when using their paper shredding services and can provide a certificate of destruction if needed.
Make sure you consult the UC Records Retention Schedule before destroying or shredding the records.
Review the Records Management details for additional information.