User login


Sanitization And Disposal Of Information Resources Policy

Effective Date: October, 2013


I. Introduction

A large volume of Data is stored on Systems (as each such term is defined in the Columbia University Information Security Charter (the “Charter”) []) throughout Columbia University. A substantial amount of this Data consists of Sensitive Data or Confidential Data (as each such term is defined in the Charter). Unauthorized disclosure of such Data may expose the University to legal liability. Data sanitization is the deliberate and permanent removal of Data from an Information Resource. This Policy defines the appropriate sanitization and disposal methods to be used.

A PDF of this policy is also available to the right.

Capitalized terms used herein without definition are defined in the Charter.


II. Policy History

The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:

  • Data Sanitization and Disposal of Electronic Equipment Policy, dated January 1, 2008, as amended in February 2008
  • Electronic Information Resources Security Policy, dated March 1, 2007 and (B) the following CUMC Policy:
  • Information Security: Backup, Device and Media Controls


III. Policy Text

A.     Sanitization

Each System Owner, Data Owner, IT Custodian and User is responsible for determining if Sensitive Data of Confidentia Data is present on the Information Resource by, for example, periodically scanning the Information Resource using software provided by CUIT or CUMC IT, and sanitizing all Information Resources with hard drives and Removable Media under his/her control prior to removal from the University in accordance with the following guidelines:

1.  Non-Sensitive and Non-Confidential Data.

         Data other than Sensitive Data or Confidential Data may be deleted and/or reformatted.

2.  Sensitive Data and Confidential Data.

          SensitiveData and Confidential Data must be sanitized in a manner that leaves the Data unrecoverable. This can be accomplished by using one of the following methods:


All paper based Sensitive Data or Confidential Data must be destroyed using cross-shredding or through a contract with an Information Security Office approved-vendor.


IV. Cross References to Related Policies and Other Documentation

The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.

Appendix A

Related Policies and Other Documentation

CUIT Data Deletion Software

CUMC Data Deletion Software

Data Classification Policy

Information Security Charter