This document provides specific guidance on methods, processes and procedures to ensure no data remain on computer hard drives that are to be permanently removed from the College of Public Health FERPA, HIPAA Regulations.

Under the regulations of HIPAA AND FERPA, data destruction on computer must follow minimum guidelines which match those of the Department of Defense Sanitization and Data Destruction Policies.

1A. Sanitization

Sanitization is the process of overwriting and replacing information (data) with 1s and 0s in such a way that meaningful information cannot be recovered from a hard drive. Sanitization will be used to overwrite and replace data on all College of Public Health owned or controlled hard drives being sent to surplus or moved to another department. The individual performing the overwriting must have suitable technical expertise and will be responsible for certifying that the process has been successfully completed by signing a data destruction form. Once the over writing has been certified, a signed copy of the certification printout verifying that the drive has been purged will be stored in the central IT office.

1B. Degauss

Degaussing (i.e., demagnetizing) is a procedure that reduces the magnetic flux of a medium to virtual zero by applying a reverse magnetizing field. Properly applied, degaussing renders any previously stored data on magnetic media unreadable. The Media Center in Seashore Hall offers degaussing service for the entire campus. The College of Public Office of Information Technology also offers a degaussing service to collegiate computer systems and media. Individuals performing degaussing will certify that the process has been completed by filing a signed verification certificate, indicating the date and degaussing product used for the procedure to the central IT office. Persons performing the degaussing function must have suitable expertise. This works effectively for re-utilizing backup media such as DLT and SDLT tapes; this should be used as a last resort against hard disks, as it renders the hard drive unusable after the process.

1C. Physical Destruction

Destruction of a hard drive is the process of physically damaging a medium so that it is not usable in a computer and so that no known exploitation method can retrieve data from it. Destruction of hard drives will be certified by affixing a signed certification printout to the hard drive indicating the date and method of destruction.

1D. Data Clearing

(not a recommended practice for systems leaving the College of Public Health)

Clearing data (deleting files) removes information from storage media in a manner that renders it unreadable unless special utility software or techniques are used to recover the cleared data. However, because the clearing process does not prevent data from being recovered by technical means, it is not an acceptable method of sanitizing college owned or controlled hard disk storage media.