Fayetteville Policies and Procedures  924.0 

Data Disposal

  1. Overview
    This policy provides guidance to ensure that University of Arkansas data is not exposed after it is no longer needed and/or after the decommissioning or repurposing of the system where it was stored.

  2. Purpose
    The purpose of this policy is to ensure that necessary university records and documents no longer needed for organizational purposes are discarded at the appropriate time and in an appropriate manner.

  3. Scope
    This policy applies to university employees, contractors, vendors, and other personnel who are custodians, creators or managers of university data, records and/or documents in either paper or electronic formats.

  4. Definitions
    1. University data: University data is data that is related to the mission of the university, including faculty, staff, student, and university business.

  5. Policy
    1. All university data that is no longer needed must be appropriately disposed of in accordance with all applicable university records retention policies, and applicable law and regulations.
    2. The university requires that, before any computer system, electronic device, or electronic media is disposed of, recycled, or transferred to another user or as surplus property, the system, media, or device must be either:
      • Properly sanitized of university data and software, or
      • Properly destroyed.
    3. All applicable university records retention policies and guidelines, as well as any applicable laws and regulations, should be consulted prior to the erasure or destruction of data, systems, devices, or media.
    4. When data is disposed of, electronic media must be sanitized following the guidelines in the latest version of NIST Special Publication 800-88, “Guidelines for Media Sanitization”. For specific procedures and processes, please contact UITS security for the latest documentation.
    5. IT Services is available to assist departments in complying with these requirements.

  6. Reporting and Addressing Suspected Violations
    Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement
    Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices

  8. Exemptions
    Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

June 20, 2022