7.5.12 Eradication of Data Stored on Electronic Media
A. Purpose
To establish procedures for the proper destruction of electronic media containing PHI or other sensitive data at the University.
B. Persons Affected
This policy applies to employees, contractors, students, and vendors at The University of Texas at Tyler (the "University"). Any Protected Health Information (PHI) that is stored on electronic media is included in the scope of this policy. This policy applies to electronic media that is to be destroyed and electronic media that is to be sent to surplus or repurposed.
C. Definitions
PHI - All individually identifiable health information transmitted or maintained by the University, regardless of form, e.g., patient name, address, telephone number, social security number, diagnosis
Electronic Media - any device that is used to store or record electronic information, including, but not limited to hard drives, PCMCIA (compact flash memory) drives, USB drives, magnetic tapes, compact disks, DVDs, videotapes, audiotapes, and removable storage devices such as floppy disks and zip disks.
D. Policy
Responsibilities for Disposal/ Repurpose of Electronic Media. Electronic media must be wiped or destroyed in a secure manner once the device has reached the end of its useful life-cycle.
- Electronic media to the University Information Technology (IT) or Information Security department for processing.
- IT will store the electronic media in a secure location until it is repurposed or destroyed.
- If electronic media is to be repurposed, IT or Information Security will wipe the electronic media and verify its contents have been permanently removed before reuse.
- IT or Information Security is responsible for properly destroying all electronic media..
- If electronic media is to be destroyed, a representative from either IT or Information Security will witness the destruction.
Enforcement
Violation of this policy may result in disciplinary action. All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the applicable disciplinary processes, up to, and including, termination.
E. Reference(s):
N/A
F. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 09/2021
AMENDED: 05/2023