3-12 Disposal or Transfer of Computers and Other Digital Assets
About CMU's "Disposal or Transfer of Computers and Other Digital Assets policy"
This policy is in place to reduce the risk exposure of CMU’s protected or restricted data stemming from inappropriate transfer, sale, or disposal of CMU-owned computers, computer-based equipment, and digital media.
NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.
- Effective date of this revision: July 1, 2018
- Contact for more information: Office of Information Technology
BACKGROUND
This policy has been created to reduce the risk of the breach or exposure of CMU’s Protected or Restricted data stemming from inappropriate transfer, sale, or disposal of CMU-owned computers, computer-based equipment, and digital media of any kind. Without proper removal, sensitive personal data as well as University licensed software packages may inadvertently remain on the hard drives or storage media of computers and other equipment intended for transfer, sale, or disposal. At best, access to this sensitive information and licensed University software by non-authorized personnel (internal or external to CMU) is inappropriate. At worst, the University could be held liable for the release of personal information and/or a violation of software licensing agreements. This policy guards against these possibilities by requiring that all computers and other digital assets intended for transfer, sale, and disposal be managed through processes maintained by University Stores and the Office of Information Technology (OIT).
PROCEDURE
All computers and digital assets must be transferred to OIT or University Stores for erasure prior to transfer, sale, or disposal. Erasure of data must be confirmed as successful, or the storage media will be considered defective and must be destroyed (crushed, shredded, or rendered otherwise unusable) before the remaining equipment may be transferred, sold, or disposed of. If defective storage media cannot be separated from the device, the device must be destroyed before leaving the University.
University-owned computers and other digital assets known to have housed Restricted or otherwise regulated information (like workstations or devices used in clinical patient treatment areas, servers and server-storage with large repositories or databases of HIPAA, FERPA, or controlled research data on them) will be considered to be at high risk for inadvertent data loss and will have their storage media removed and destroyed by OIT/University Stores prior to transfer, sale, or disposal of the equipment.
RELATED POLICIES AND OTHER RESOURCES
- Responsible Use of Computing Policy
- Data Stewardship Policy
- Information Security Policy
- Information Security FAQ
AMENDMENTS AND ADDITIONS
The CIO may approve exceptions to this policy. All amendments and additions to this policy will be drafted by a committee convened by the CIO and will be reviewed and approved by the Provost and the President. Changes in this policy will be appropriately publicized.
Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines relative to this subject.