Cookies

We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Information Governance

Disposal of Information

Introduction

Information has a life span that relates to its relevance, business need, and any statutory or regulatory requirement to retain it. When no longer required it should be disposed of appropriately.

In the information lifecycle, disposal (or disposition) generally refers the point in time when the information holder no longer has a need for it, so an output can be to transfer the information to an archive. This is covered in the University's guidance on Retention. Information below relates to the final destruction of the information.

Risks

Keeping information for longer than is required exposes the University to risks, such as:

Inefficiency. Large data stores, physical or digital, can make it more difficult to find the information you need. Processing excessive digital information can slow the performance of computer systems. Retaining digital data in live systems increases backup processes and can increase the likelihood for loss of data in the event of a service incident. Requests for information under Freedom of Information (FOI) Act or Environmental Information Regulations (EIR) can be lengthier as a result of processing more information than is strictly necessary, potentially missing deadlines for responses as a result.

Increased costs. Physical and digital storage require space which can be used to better effect. Preserving information in either format requires certain atmospheric conditions so the environmental impacts are felt in energy usage. Digital information may also need to be rewritten on new media or in different formats in order to remain legible and usable. Retaining the data may not be as simple as just storing it untouched, hence all retained data has a management overhead.

Compliance. Data protection legislation can impose heavy penalties for failure to comply with its requirements, which includes rights to individuals in how we manage their data. Retaining personal data longer than is necessary is a breach of data protection legislation. The more data we have and the longer we hold it, the more likelihood there is of failure to comply through some failure of process or system.

Security. Retained information needs to be stored securely. Failure to maintain and monitor security controls on stored data is as much a breach as it is for live data. Potentially, loss or corruption of data which is not used on a day-to-day basis may be less easily observed, but no less valuable.

Disposal of removable media

Removable media provides a handy and relatively cheap means of storing, transporting and transferring information. Removable media includes CDs, DVDs, Blu-Ray discs, USB memory sticks, external USB hard-drives and Network Attached Storage (NAS) devices. Improvements in technology and miniaturisation means that such devices can now store masses of information on media which are potentially easily damaged or lost/stolen, or may be retained longer than necessary because the small form factor does not create space issues. However, it is essential that the information stored on the devices is appropriately managed. This may require information to be deleted from re-usable media when it is no longer required. With correct use of removable media this should be well in advance of the requirements of the University Records Retention Schedule, however that should inform any review of information retention.

Disposal of the media should ensure that any information that needs to be retained on more permanent solutions is or has been transferred.

  • Disc media should be shredded locally where facilities exist (many local document shredders also have slots for disc media).
  • Where that is not possible or there are discs in bulk, these should be sent to CIS for disposal through our approved routes.
  • Other removable media should be processed as per other IT equipment and sent to CIS for disposal through the approved routes. Where possible delete information prior to sending the device to CIS.

Disposal of electronic devices

University-owned information-containing devices must be disposed of via CIS. This includes devices puchased by departments or under research grants. Under no circumstances can IT equipment be sold to staff or students.

The disposal route through CIS ensures that hard drives are secured erased and equipment is correctly disposed of. This prevents accidental disclosure of information that might otherwise occur, and ensures that obligations regarding ownership and disposal of IT in accordance with WEEE Regulations is maintained.

Personal devices should be cleared of University information if the device is still operational. Consider locally stored email, local device storage and any attached memory, such as SD/MicroSD cards. Clear settings and ideally perform a factory restore prior to disposing of your device through any route, e.g. resale or waste.

Disposal of hardcopy media

The colour-coded recycling bins located around the University and the recycling station at the Bill Bryson Library should not be used for disposing of paper where the information is anything other than publically available, for example marketing material.

Shredding machines are widely available for local, limited use or the information should be disposed of through the secure shredding procedure. The latter is more useful for disposal of bulk hardcopy material. Any bags stored pending collection for shredding should be securely located but not present a fire or trip hazard.