Milligan University’s information systems capture, process, and store information using a wide variety of media, including paper. This information is not only located on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition to mitigate the risk of unauthorized disclosure of information and to ensure confidentiality.
Regulations
The Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Payment Card Industry Data Security Standards (PCI DSS) require formal documentation of disposal procedures to ensure specific types of information is properly sanitized prior to being discarded.
- All paper-based media should be disposed of when it is no longer necessary for business use, provided that the disposal does not conflict with University data retention policies or any regulatory requirements. Questions about retention requirements should be directed toward the appropriate data owner.
- All electronic storage media should be sanitized when it is no longer necessary for business use, provided that the sanitization does not conflict with University data retention policies, or any regulatory requirements. Questions about retention requirements should be directed toward the appropriate data owner.
- All electronic storage media should be sanitized prior to sale, donation or transfer of ownership. A transfer of ownership may include transitioning media to someone in your department with a different role, relinquishing media to another department, or replacing media as part of a lease agreement.
- The following are recommended for sanitization and disposal of paper-based media:
- Cross shredding should be used for Clearing and Purging of paper-based media.
- A third-party document destruction services should be leveraged for destroying paper-based media. A Certificate of Destruction should be requested, as evidence that documents were destroyed, and retained for future reference.
- The following are recommended for sanitization and disposal of Electronic Storage Media:
- Cross shredding should be used for destroying non-writeable CDs, DVDs and floppy disks.
- In situations where a third-party warranty or repair contract prevents proper sanitization of Electronic Storage Media, IT should be contacted for further guidance.
Milligan University provides conveniently located shred-boxes that are emptied and certified as destroyed by an approved vendor monthly.
All electronic storage must be properly e-wasted through Milligan’s IT department. The IT department ensures destruction by an environmentally safe, certified company and a certificate of proper destruction will be stored. Before placing any item in E-Waste, the IT department will remove the hard drive and personally deliver the drives at the time of pick-up to the E-Waste professional.