The following information is provided to assist KU technical staff with cleaning data from electronic devices (mainly computers, but also PDAs, memory sticks, etc.) that will be reused or recycled.

Data confidentiality has long been an issue of ethical concern. With the enactment of several laws to protect the privacy of individuals' health (HIPAA), financial records (GLBA), and student records (FERPA) it has become a legal concern as well.

When a file is deleted, the operating system does not really remove the file from the disk; it only removes the reference of the file from the file system table. The file remains on the disk until another file is created over it, and even after that, it is possible to recover data by studying the magnetic fields on the disk platter surface. The only way, other than physical destruction, to prevent this kind of inadvertent file sharing is to sanitize the hard drive before it reaches its next owner. There are two ways to do this:

• "Erase" the hard drive with the kind of bulk eraser, or degaussing device, used for magnetic tape. The problem is, the degaussing field is strong enough to physically ruin the hard drive. This is, therefore, the same thing as physical destruction, and may be a good choice if the next destination is the smelter or a landfill.  However, since KU recycles or donates most of the computer equipment we use, this makes physical destruction less useful.
• Perform a "data overwrite" or "data wipe." Data is not actually wiped from the physical media, but is, instead, overwritten with other data. This has the same effect of removing the previous data from the drive and, given certain methods of overwriting, can make it virtually impossible to determine that the previous data ever existed. Data wiping is a very effective method of destroying sensitive information from all magnetic media as long as the right tool is used.  Multiple wipes or "passes" are normally required to assure that the data in no longer accessible.

The type of "data overwrite" needed depends on the information stored on the computer, and its next destination. The following table should help decide how to handle a particular computer. Sensitive information may include but is not limited to:

• Personal health information
• Financial Information
• Confidential personal information (SSN, Birth date, Maiden name, etc)

The same guidelines also apply to data stored on other devices such as PDAs, memory sticks, etc. If you need assistance removing data from these devices, or if you are not sure if the data stored on the device being relocated is sensitive, please contact the IT Security Office at 864-9003.

If a drive is outdated, malfunctioning, or no longer need by a department, you can physically destroy the drive. This destruction can be done with a powerful magnet, or a big hammer. After destruction, contact KU Recycling at 864-2855 to have the drive picked up for recycling. They will pick up individual drives as well as entire machines. For more details review the information on the KU Recycling Web site.

To properly clean your media, please use the utility called "Darik's Boot and Nuke" (DBAN) available at http://dban.sourceforge.net/.

This tool will create an easy to use cleaning floppy or CD that can be used in most computers.  It will allow you to boot from the media and begin the cleaning process without anything needing to be installed on the computer. DBAN allows you to choose a number of options.  For a secure wipe of data seven passes of the overwrite routine are required. Installation instructions for DBAN tool.

For questions or assistance with this process please contact the IT Security Office:

• Email: itsec@ku.edu
• Phone: 785-864-9003
• Web: www.security.ku.edu

For more information about computer recycling at KU visit the KU Recycling Web site.