Electronic Data and Equipment Disposal


Please see CUIMC Information Security Procedures for Sanitization and Disposal in addition to requirements and procedures listed below.

A large volume of electronic data is stored on computer systems and electronic media throughout the University. Much of this data consists of sensitive and confidential information, including patient records, financial data, personnel records, and research information. Columbia University is covered by several federal and state laws that set forth responsibilities for protecting this information, including the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the Federal Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA) and the New York State Social Security Number Protection Law.

Requirements

Unauthorized disclosure of sensitive information may subject the University to legal liability, negative publicity, monetary and civil penalties, and the possible loss of funding. All sensitive information and licensed software must be properly removed when disposing of computer systems with hard drives (laptops, desktops, servers, etc.), smartphones, tablets, medical instrumentation devices and modalities, printers and copiers, and removable media such as CDs, DVDs, disks, USB drives, external drives, tapes, smart cards or anything else that stores data. Bear in mind that many pieces of equipment keep a cache of data that you may not intend to store permanently.

Sanitization Procedures

Sanitization must be documented

Any device which has been sanitized properly must be documented. CUIMC IT will not assist in the sanitization of any device when appropriate device information is not provided. Proper recording of device destruction or sanitization includes the following information: serial number of the device, device type, date of destruction, person performing the destruction, owning department.

Physical removal by Facilities requires a Device Disposal Tag

Facilities Management is responsible for the disposition of surplus computer systems and electronic devices from university operated buildings. Any computer system or device sent out for disposition must have a 'Device Disposal Tag' affixed to it indicating that the system has been sanitized. Facilities Management will not accept any computer system without this sticker. Once collected, all computer systems and devices will be delivered to a secure location where disposal will be facilitated by the Department of Environmental Health and Safety.

Once you have gone through the necessary steps to properly sanitize your computer system and acquire a 'Device Disposal Tag' (see Options below), you may contact the facilities office to schedule the pickup of unneeded equipment. You can contact facilities by calling 5-Help option 3 or by going to the facilities website and submitting a work order.

Improper Disposal Penalties

In the event that a computer system is found to have been disposed of out of accordance with CUIMC IT Data Disposal Procedures, the system will be sanitized and a fee of $175 will be charged to the department of the systems origin without approval from the department.

Options for Disposal of Non-Leased Systems

  1. Assisted Hard Drive Extraction
    Call the CUIMC IT Service Desk (extension 5-Help). CUIMC IT will provide a field sanitation service for the standard rate of time and materials. Once the field tech has completed the hard drive extraction, a 'Device Disposal Tag' will be placed on the machine and you can contact the facilities management office to dispose of it.
  2. Departmental Extraction
    If your department has its own Certified IT Group, you may ask them to extract your hard drive and follow up with the Service Desk at extension 5-Help (212-305-4357), option 5, for the next steps. They will be able to obtain the required 'Device Disposal Tag' and then they can contact the facilities management office to dispose of the machine.
  3. Upgrade Extraction
    When upgrading equipment using CUIMC IT, hard drive sanitation will be provided upon request free of charge. A 'Device Disposal Tag' will be provided as part of the upgrade. Once this sticker is placed on the machine you can contact the facilities management office to dispose of it.
  4. Donate via Dr. Kleiman with MSPH
    Computers with a minimum Pentium 4 processor can be donated by contacting Dr. Norman J. Kleiman, email njk3@columbia.edu or call 5-6748. Dr. Kleiman's group takes responsibility for securely wiping data from the computer. Working printers are also accepted.

Hard Drive and Backup Tape Degaussing

CUIMC IT does not currently offer degaussing services or access to degaussing equipment.

System removal, ownership or location changes

In order to provide consistent, reliable network access to authorized individuals and systems, Core Resources must have current, accurate information systems using the wired network. Failure to provide accurate information can result in denial or loss of network connectivity, or problems with connecting to other resources. Failure to notify us of systems no longer using the network ties up resources that could be used by others.

Procedure

Submit the appropriate ServiceNow Wired IP Registration form when any of the following occur:

If a system is moving or changing ownership, the form will help ensure that wired connectivity is not disrupted provided that enough notice has been given.

Disable unused accounts

When looking at data sanitization and equipment disposal requirements due to changes in an employee’s status, do not forget to notify managing groups of the employee’s accounts.