The Purpose
The purpose of this policy is to help HKUST Schools, Departments, Offices, units, and affiliated Institutes safeguard institutional or personal sensitive information from unauthorized disclosure by removing or destroying information for computers or storage devices prior to redeployment or disposal.
The Scope
In-scope Devices (devices):
- All computers including, but not limited to, desktop computers, laptop computers, servers, and mobile devices;
- All digital storage devices embedded in 1. including magnetic hard disks (HDD) and solid state drives (SSD) ;
- All external storage devices including, but not limited to, external hard disks, logical storage, optical disk (DVD/CD), flash drives, USB sticks, and magnetic tapes.
In-scope Data (data):
- Personal Information – Personally identified or personally identifiable information or other sensitive data. These information/data including, but not limited to, a single piece or a combination of information of name, picture, residential address, HK ID, biometric data, phone number, DOB, occupation, sexual orientation, etc.
- Institutional information – HKUST Institutional/business data, software programs licensed by HKUST, or all non-public data
In-scope Parties (parties):
- Every device user is responsible for securing and protecting the data over which the user has control. In meeting this requirement, users may refer to this Data Destruction Policy, or consult corresponding departmental IT technical staff and/or ITSO.
- Management of Schools, Departments, Offices, units, and affiliated institutes shall observe this Data Destruction Policy.
The Policy
Data must be properly and reliably erased or destroyed from any device before it is being disposed of if the device is not disposed of through the Standard Disposal Procedure (See Point B below). Failure to do so may pose a significant risk to involuntary exposure of personal and/or institutional information. In all instances, the following procedures should be observed prior to the redeployment or disposal of any device. Data owners must keep their devices safely before these procedures can be executed.
A) Decision on Destruction or Reserve Data on Devices
- Each device should be evaluated by management of the party to determine if it should be destroyed or if the data or software programs on it should be retained and transferred elsewhere within HKUST.
- Data which must be retained or transferred to another device must be done in consultation with the Head of Department/Office.
- Licensed software and institutional data must be properly removed prior to transfer of the device to another department/office within HKUST.
- Software licensed by a department/office must be retained by the corresponding department/office for possible re-deployment.
- All data must be properly and reliably erased from any device prior to donation of the device to external parties.
B) Decision on Dispose Device Through Standard Disposal Procedure
When a party fills in the Asset Item Disposal e-From to dispose any device, we call this the Standard Disposal Procedure.
Under this Procedure, HKUST has setup a term contract with disposal companies which collect computers and related IT equipment from HKUST for scrapping. Disposal companies must include and arrange data destruction process through degauss using certificated data eraser/certificated degausser at their premises. This process must be executed in a secure way for all scrap computers with storage devices collected from HKUST.
The Standard Disposal Procedure is considered a carefree way of disposing computer devices. However, parties are strongly encouraged to perform a corresponding procedure mentioned in section C below to further limit the chance of unauthorized disclosure of data before the devices can be processed by the disposal companies.
C) Decision on Choosing Storage Device Sanitization Method
If the Standard Disposal Procedure is not applicable, parties may choose to perform device sanitization themselves. In this case, parties need to understand the attributes of a device/media before choosing the correct method to sanitize device/media. Parties may always consult ITSO in case of doubts.
- HDD/Magnetic tape/SSD/USB/Flash Drives – When these devices are needed to be disposed of, the in-scope parties are required to delete all data in the devices using the normal data erasing functions like Disk Format or Trash Bin (then Empty Trash). The erasing of data acts as double protection to your sensitive data. Afterwards, these devices can be transferred and stored in secured cabinets in ITSO. ITSO has established standard contracts with contractors to properly and reliably destroy/erase data from these devices when they are accumulated to certain number.
In case of urgency, a degausser is available in ITSO to properly destroy data on magnetic devices (HDD/magnetic tape).
- Cloud storage - The data destruction will be properly addressed if the cloud service provider is selected based on Guidelines on choosing Cloud Service Provider .
- Optical Disk – Use one of the following ways to destroy an optical disk,
- Wrap the disk with plastic wrap and fold it until it breaks;
- Cut the disk with a pair of scissors;
- Scratch out the disk volume descriptor. The volume descriptor is about 2mm wide located near the very center, non-transparent area of the disk. Scratch this area on the label side in circular motion around 10 times so that it cannot be read. If a DVD drive cannot read the volume descriptor, it cannot read the rest of the data.
- Other Storage Device – Parties may consult ITSO for methods of sanitizing data storage devices that are not listed in this Policy.