Safe Data Disposal - College

Download this report as a PDF >>

Like most state agencies, public colleges and universities may dispose of all the equipment they no longer need for their operations. Their surplus programs take unwanted property – including information technology (IT) equipment like computers, cell phones and printers – and resell, recycle or otherwise dispose of it. 

Our Office has conducted two audits evaluating how well state agencies, including a few colleges, removed confidential data from IT devices before selling them through the Department of Enterprise Services (DES) surplus program. This audit sought to evaluate how surplus IT equipment was handled in a higher education setting that does not participate in the DES program but uses its own procedures.

Read a two-page summary of the report.

Report Number 1036771 Report Credits

Key results

Colleges and universities possess tremendous amounts of confidential data, including personal information for each of their students, making safe data disposal imperative. This audit looked at how a college that does not participate in the state’s centralized surplus program handled IT equipment.

The college we reviewed assumes all surplus IT equipment contains confidential information and acts accordingly. It purchased industrial-grade equipment to sanitize surplus hard drives. Also, its policy calls for physically destroying a drive if staff encounter any difficulties in erasing its data.

We found the college’s process for sanitizing IT equipment has several strengths worth highlighting. For example, the college:

  • Only resells IT equipment that can be sanitized 
  • Treats every device as if it contains confidential information 
  • Uses professional sanitization systems to sanitize devices  

Background

Colleges handle many records that contain confidential information, including student identification and Social Security numbers or personal banking and medical information. State law requires them to destroy or arrange for the destruction of such data before they can send the IT equipment that stored it to surplus. Releasing such information can harm a person’s privacy and financial security, and pose the risk of identity theft.

To help colleges and other agencies comply with the law, Washington Technology Solutions (WaTech) developed the Media Sanitization and Disposal Standard. Following the standard helps ensure that discarded data-handling media – meaning any portion of a device that can store or process data – is securely sanitized using one of three sanitizing methods: clearing, purging or destruction, depending on the data category that is stored in the media.

Note: This report did not disclose detailed results of individual tests we performed to decrease the risk to the audited college’s data security. As an added precaution, we also did not disclose the identity of the college we audited.

Earlier audit results

Over time, Washington state agencies have made important progress in addressing the risks associated with disposing of computers and other IT equipment that may contain confidential data. In our first audit of data disposal in 2014, we estimated 9% of state computers scheduled for sale during our review period contained confidential data that should have been removed.

A follow-up audit, performed in 2018, found state agencies had improved their practices and reduced the risk of disclosing confidential information. That audit identified very few instances of confidential data on devices. Those instances illustrated the importance of strong policies and procedures that align with state requirements and best practices.

Strong processes, strong results

All surplus IT equipment we tested at the college was properly sanitized: we did not find any confidential data on the tested devices. Because our sample was not truly random, we cannot statistically project our results to all equipment at the college. Nonetheless, given the strong process the college has in place, plus the fact that all the devices we tested were properly sanitized, we are confident that the college has a good process in place to consistently sanitize its IT equipment.

Additionally, to obtain the necessary assurance that its sanitizing procedures are working as intended, the college verifies some of its results through testing. However, to help ensure procedures remain successful, the college should test a greater proportion of sanitized IT equipment.

Having a strict approach to media sanitization provides assurance no confidential information remains in the equipment prepared for surplus. To have a policy less strict presents a greater risk of a data breach, should one poorly prepared device fall into the wrong hands.

Recommendations

We made a recommendation to the college to improve its verification process of media sanitization results. In developing the process, we recommended the college consult with WaTech to determine the appropriate volume and frequency of testing.