Secure Disposal of Information

Confidential electronic and paper information must be disposed of securely to minimise the risk of unwanted disclosure.

Members of the University, especially staff and research students, must be sure to handle information securely. Achieving and demonstrating good standards of information handling is particularly important to the research interests of the University.

Confidential information is information which if improperly disclosed or lost could cause harm or distress. This includes personal data as defined by the Data Protection act, i.e. information about a living individual where that individual could be identified, and other valuable or sensitive information not in the public domain.

University Information Security Policy sets out mandatory requirements relating to secure disposal of confidential information.

Contents

Procedures summary

  • Appropriate procedures must be followed when disposing of information, whether it is in paper or electronic form, to minimise the risk of unwanted disclosure.
  • Precautions must be taken when control of a device that may have information stored locally is to be reassigned to someone else. (Such devices include: computers, mobile phones, USB drives, cameras, rewritable CDs/DVDs etc.)
  • When devices that store confidential information are to be repaired, then that information should first be removed. However, if removal of the information prior to repair is not possible the work should be carried out by a company subject to a suitable agreement. (Note: The University standard purchasing terms and conditions suitably address confidentiality and Data Protection matters.)
  • In general, locally installed licensed software should be removed from IT equipment before disposal or transfer of control. Not doing so may breach the terms of the licence.

Disposing of paper information

  • Dispose of unwanted paper documents that do not contain any confidential information by recycling.
  • Where documents contain confidential information, assess whether the disclosure of the information could cause harm. If so, or if you are uncertain, place the documents in a shredding bag and store the bag securely until it is collected for shredding. The University uses the services of a company providing secure on-site shredding. For details and to request this service see: Waste Guide for Departments.

Disposing of electronic information

  • The University works with an approved contractor to recycle redundant IT equipment. The contractor is subject to an agreement with the University to securely sanitize all hard drives. To request a collection of waste IT equipment fill in the online IT Waste Collection Request Form.  (For further information visit the Environment Team website or email environment@le.ac.uk.) Equipment must be kept in a secure location until collected. Where it is considered necessary to be extra-careful then a secure deletion tool should first be used before collection - see below.
  • Departmental procedures must ensure that locally stored confidential information is removed as appropriate before a device is reassigned to another person. This should be done routinely at the time the device is returned using a secure file or drive level deletion tool – see below.

Secure data deletion tools

The standard method of deleting a data file, on many types of system, may leave its contents recoverable. This is helpful if a mistake has been made, however, it is insecure if the intention is to prevent anyone else being able to “un-delete” and read the file. (Tools for recovering files deleted in the standard way are available for various systems.)

Entire PC hard drives can be “securely wiped”, such that the data is made unrecoverable, using a free utility such as “Boot and Nuke”.  Specific files and folders can be deleted under Windows using the free tool “SDelete”. These tools can be downloaded from the Internet. 

However, whilst some staff may feel confident to obtain and use such tools other staff needing to ensure that confidential data has been deleted are advised to seek assistance from their departmental Computer Officer or IT Services.

University Policy

This communication is based on the Information Security Policy documents:
Information Handling Policy (ISP-S7)
Mobile Computing Policy (ISP-S14)
Software Management Policy (ISP-S13)

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.