When declaring electronic media (hard drives, floppy diskettes, CDs, DVDs, flash drives, tapes, cell phones, mobile devices, etc.) as excess, departments must ensure that all Category II and Category III data1 contained on these items is not vulnerable to theft or electronic compromise. This is called media sanitization. Media sanitization comprises all actions necessary to protect data on surplus or end-of-life University-owned media from unauthorized access.2
Prior to media sanitization, a department should ensure compliance with any known Legal Hold Notices and records retention requirements3 for data contained on the media by consulting with designated OU officials, (e.g., Open Records Act Officer, Legal Counsel, records retention officers, or departmental or university privacy officers).
Following sanitization, departments must maintain a sanitization record for each item. The record should detail the type of media, date, sanitization method, and the final disposition of the media (sold, recycled, returned, etc.).
Resource Documents:
1 Data classification categories
https://webapps.ou.edu/security/policies/Data_Classification_Policy.pdf
2 Sanitization methods and definitions
https://www.ou.edu/content/dam/IT/security/Media_Sanitization_Policy.pdf
3 Records retention policy
https://www.ou.edu/content/dam/AdminFinance/documents/Records_Retention_Policy_Norman_Campus.pdf
(Chief Information Officer, Senior Vice President and Provost, Vice President for Administration and Finance, 1-23-09)
