Effective Date: January 1, 2008
Latest Revision: February, 2013
Data sanitization is the deliberate and permanent removal or destruction of the data on a storage media device. When a storage media device becomes obsolete or the sensitive data is no longer needed, all sensitive data must be effectively removed from the storage media before the devices are reused or discarded. This policy defines the appropriate data sanitization and disposal methods based on the data classification and sensitivity level at Columbia University.
Reason for the Policy
This policy ensures that sensitive data is not inappropriately released. Sensitive data may include: information classified by the University's administration; information protected by laws such as the Family Educational Rights and Privacy Act (FERPA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); the Gramm-Leach-Bliley Act (GLBA); information that could lead to identity theft; information that could contribute to problematic or sensitive situations for the University; and/or information leading to the loss of personal privacy, licensed software, or restricted intellectual property. The sensitive data could be stored in desktop and laptop computers, or in removable storage devices (e.g., a CD, DVD, floppy disk, Zip drive, external hard drive, USB disk or flash drive), or any devices with storage capabilities (e.g., mobile devices, copier, etc.).
Primary Guidance to Which This Policy Responds
This policy responds to all applicable federal and state statutes pertaining to protection of sensitive and confidential information. These statutes include, but are not limited to, New York State Law, the New York State Information Security Breach and Notification Act, FERPA, HIPAA, GLBA, and the Payment Card Industry Data Security Standard (PCI DSS).
Responsible University Office & Officer
The Columbia University Information Technology (CUIT) Office of Security is responsible for the maintenance of this policy, and for responding to questions regarding it. The Chief Information Security Officer (CISO) is the responsible officer.
This policy was established in January 2008.
The policy was revised in August 2010 to expand the inclusion of any devices with storage capabilities, update to the special situations section to include handling of devices with encryption software, and added appendix A - copier hard drives disposal process and procedures.
Who is Governed by This Policy
This policy applies to all individuals who access, use or control Columbia University's electronic information resources. Those individuals covered include, but are not limited to, faculty, staff, students, contractors, consultants, those working on behalf of the University and/or individuals authorized by affiliated institutions and organizations.
Who Should Know This Policy
Anyone who accesses, uses or controls Columbia University's electronic information resources should be familiar with this policy.
Exclusions and Special Situations
See full policy text at right