Skip to main content
Home

Disposal and Redisposition of IT Equipment and Removable Media

Disposal and Redisposition of IT Equipment and Removable Media

Purpose

This policy provides guidelines for requesting the disposal or transfer of IT equipment and removable media no longer needed and for ensuring confidential data, as defined in UD’s Electronic Use of Confidential Data policy, is not inadvertently released to unauthorized parties, either internal or external to the University. Additionally, a single, streamlined process allows the University to best address potential environmental, financial, and security concerns associated with the disposal of IT equipment and removable media.

Scope

This policy applies to all University of Dayton departments and to all employees – faculty, staff, contractors, consultants, temporaries, and other workers – making use of IT equipment and removable media procured with UD funds, discretionary accounts included. Equipment purchased with grant funds becomes the property of the University after the award ends unless the award explicitly specifies otherwise. While the grant is active, the equipment generally moves with the grant recipient. In the case a grant recipient leaves UD, care must be taken to ensure sensitive data is not inappropriately transferred.

As described in UD’s Electronic Use of Confidential Data policy, confidential data should not be stored on personal devices.

This policy does not apply to UD’s Research Institute. Given the nature of its contract work, UDRI applies a separate standard. For more information on UDRI specific requirements, please contact the Research Information Technology Office. 

Policy History

Effective Date:  July 2007

Approval:  March 19, 2019

Policy History: 

  • Approved in Original Form:  July 2007
  • Approved as Amended:  September 2009
  • Approved as Amended:  December 17, 2015
  • Approved as Amended:  March 19, 2019

Maintenance of Policy:  Procurement and Payables Services and Chief Information Officer

Definitions

(a) "IT Equipment": Equipment supporting office automation or the display, processing, storage, or transfer of data.

(b) "Removable Media": Peripheral storage, either permanent or reusable. The latter category includes, but is not limited to, USB flash drives, CDs/DVDs, and external hard drives.

Policy

All IT equipment purchased with University of Dayton funds must be returned to UDit when no longer needed or a need to transfer equipment outside of the originating department exists. Equipment procured after June 2009 requires purchase of asset management and recycling riders. All or portions of the work specified in this policy may, after initial collection and processing by UDit, be accomplished by 3rd parties contractually bound to the data sanitization requirements of this policy.

UDit will move and/or dispose of unnecessary IT equipment after appropriate paperwork has been completed. To request an equipment move or disposal, complete the the IT Equipment Disposal form at https://udayton.teamdynamix.com/TDClient/Requests/ServiceDet.aspx?ID=6423.

Functioning IT equipment will be evaluated for redisposition within the UD community or used for replacement parts. Special dispensation may be made for repurposing equipment outside of UD, but requires approval of Purchasing and UDit.

All re-allocated computers and removable media will be cleaned of sensitive data and licensed software before being re-deployed within UD or transferred outside the university for either redisposition or destruction. In cases of intradepartmental transfer, this responsibility falls to that unit’s IT support. Computer hard drives will be erased using software compliant with NIST Special Publication 800-88 standards. In the case this is not possible or not cost effective, hard drives (after removal) and/or removable media will be physically destroyed. Departments may process their own removable media as long as they adhere to the standards approved in this paragraph.

Parties found to have violated this policy may be subject to disciplinary action.

Reference Documents

  1. ISO 27002 2013 Sec. #8.3,11.2
  2. University of Dayton Equipment Disposal Form
  3. University of Dayton Equipment Move Policy & Fee Schedule
  4. University of Dayton Equipment Disposal Fees for non-supported IT Equipment

Applicable Regulations

  1. Family Educational Rights and Privacy Act (FERPA)
  2. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  3. Payment Card Industry Data Security Standards (PCI DSS)
CONTACT

For questions relating to the University policies of Information Technology, please contact:


Gurvinder Rekhi, Vice President and Chief Information Officer
937-229-4307
Email