Media Reuse and Disposal Policy

Objective
The policy and associated guidance provide requirements for reuse or disposal of WashU systems containing protected or confidential information.

Applicability
This policy applies to systems connected to any WashU network, including all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

Audience
The audience for this policy is all WashU faculty, staff, and students.  It also applies for all other agents of the university with access to WashU information and network for contracted services. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred collectively hereafter as “WashU community”.

Roles & Responsibilities

Policy
Protected and confidential information is required to be permanently rendered unrecoverable from all forms of media before it is disposed or reused.  This is to prevent recovery of data by unauthorized sources.  Logs will be maintained and reviewed to ensure media is properly disposed or reused.

All forms of media will be secured physically while in transit to reduce the risk of unauthorized access, corruption, or misuse of the information.

The department, school, or their contracted vendors will store the all forms of media in a secure location prior to destruction. Destruction vendors must have a signed HIPAA BAA on file.

Policy Compliance
The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Related Policies
Information Classification Policy

Reference
None

Policy Review
This policy will be reviewed at a minimum every three years. 

Title: Media Reuse and Disposal Policy
Version Number: 3.0
Reference Number: MP-01.01
Creation Date: February 2, 2011
Approved By: Security and Privacy Governance Committee
Approval Date: April 6, 2016
Status: Final
Scheduled Review Date: March 1, 2022
Revision Date: February 26, 2019
Revision Approval Date: March 15, 2019
Policy Owner: Office of Information Security