Disposal of Sensitive Data
Scope
This policy covers disposal of all Loyola Protected data and all Loyola Sensitive data, regardless of the storage medium.
Purpose
The purpose of this policy is to provide departments and users with the standards for disposing of Loyola Protected data and with options for disposing of Loyola Sensitive data.
Policy
Loyola Protected data paper documents
All Loyola Protected data that exists in paper document form must be disposed of by shredding. All documents should be dropped off in designated containers that will be shredded by a licensed and bonded document destruction company. If a department does not have access to designated shredding containers, the department head or their designee shall contact Purchasing to arrange for shredding services or to purchase an individual shredder that meets or exceeds the Shredder Standards set in the appendix.
Loyola Sensitive data paper documents
The method of disposal for Loyola Sensitive data that exists in paper document form is left up to the department that produced those documents. They can either opt either to use the shredding option that is used in the department for Loyola Protected data in paper document form, or they can choose to take no additional steps in disposing of the documents, disposing of them the same way they dispose of Loyola Public data that exists in paper document form.
Loyola Protected data electronic documents
All media containing Loyola Protected data in electronic document form should be sent to the ITS Information Security team for secure deletion. The ITS Information Security team will delete the Loyola Protected data from the media in accordance with current ITS Secure Deletion procedure. Any media which cannot be processed according to this standard will be destroyed by the ITS Information Security team.
Loyola Sensitive data electronic documents
The method of disposal for Loyola Sensitive data in electronic document form is left up to the department that produced those documents. They can either opt to use the secure deletion option that is used for Loyola Protected electronic documents, or they can choose to dispose of them through the same method used by the department to dispose of Loyola Public data in electronic document form.
Loyola Protected data documents taken outside of Loyola
Any paper or electronic documents containing Loyola Protected data that are taken outside of Loyola by employees, student workers, consultants or agents of Loyola University Chicago must be returned to Loyola for proper disposal as outlined above. Any paper or electronic documents containing Loyola Protected data that are taken outside of Loyola by parties who are contractually bound to handle data produced by Loyola must dispose of paper documents through a bonded and licensed document destruction company, electronic documents through a method that meets or exceeds the standards in the Loyola Secure Deletion standards, or return the documents to Loyola for proper destruction as outlined above
Loyola Sensitive data documents taken outside of Loyola
Any paper or electronic documents containing Loyola Sensitive data that are taken outside of Loyola by employees, student workers, consultants or agents of Loyola University Chicago should be disposed of in a manner consistent with the originating department’s method of disposing of paper documents containing Loyola Sensitive data or returned to the department for proper disposal. Any paper or electronic documents containing Loyola Sensitive data that are taken outside of Loyola by parties who are contractually bound to handle data produced by Loyola must dispose of paper documents through a bonded and licensed document destruction company, electronic documents through a method that meets or exceeds the standards in the Loyola Secure Deletion standards, or return the documents to Loyola for proper destruction as outlined above.
Questions about this policy
If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.
Policy adherence
Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Appendix
Shredder Standards
All shredders used to dispose of Loyola Protected data must meet the following standards:
- Type of cut
All shredders should be cross-cut or confetti-cut shredders. Strip-cut shredders are not permitted.
2. Size of cut
All shredders should produce shreds that are no larger than 5/32" by 1". Shredders that produce larger shreds are not permitted.
Large amounts of paper documents
Departments that will be shredding large amount of paper documents, either on a one-time basis or on an ongoing basis, should use the University's contracted shredding service instead of individual shredders located within Loyola departments.
Bonded shredding service
Loyola uses a contracted 3rd party to provide bonded shredding services. Departments wishing to employ their services should contact the Purchasing department.
ITS Information Security team contact information
For any questions regarding the ITS Secure Deletion procedure or to arrange to have devices picked up for secure deletion, contact the ITS Information Security team atDataSecurity@luc.edu.
History
- March 4, 2008: Initial Policy
- June 19, 2015: Annual review for PCI Compliance
- May 11. 2016: Annual review for PCI Compliance
- May 7, 2017: Annual review for PCI Compliance
- June 11, 2018: Annual review for PCI Compliance
- July 8, 2019: Annual review for PCI Compliance
- May 28, 2020: Annual review for PCI Compliance
Scope
This policy covers disposal of all Loyola Protected data and all Loyola Sensitive data, regardless of the storage medium.
Purpose
The purpose of this policy is to provide departments and users with the standards for disposing of Loyola Protected data and with options for disposing of Loyola Sensitive data.
Policy
Loyola Protected data paper documents
All Loyola Protected data that exists in paper document form must be disposed of by shredding. All documents should be dropped off in designated containers that will be shredded by a licensed and bonded document destruction company. If a department does not have access to designated shredding containers, the department head or their designee shall contact Purchasing to arrange for shredding services or to purchase an individual shredder that meets or exceeds the Shredder Standards set in the appendix.
Loyola Sensitive data paper documents
The method of disposal for Loyola Sensitive data that exists in paper document form is left up to the department that produced those documents. They can either opt either to use the shredding option that is used in the department for Loyola Protected data in paper document form, or they can choose to take no additional steps in disposing of the documents, disposing of them the same way they dispose of Loyola Public data that exists in paper document form.
Loyola Protected data electronic documents
All media containing Loyola Protected data in electronic document form should be sent to the ITS Information Security team for secure deletion. The ITS Information Security team will delete the Loyola Protected data from the media in accordance with current ITS Secure Deletion procedure. Any media which cannot be processed according to this standard will be destroyed by the ITS Information Security team.
Loyola Sensitive data electronic documents
The method of disposal for Loyola Sensitive data in electronic document form is left up to the department that produced those documents. They can either opt to use the secure deletion option that is used for Loyola Protected electronic documents, or they can choose to dispose of them through the same method used by the department to dispose of Loyola Public data in electronic document form.
Loyola Protected data documents taken outside of Loyola
Any paper or electronic documents containing Loyola Protected data that are taken outside of Loyola by employees, student workers, consultants or agents of Loyola University Chicago must be returned to Loyola for proper disposal as outlined above. Any paper or electronic documents containing Loyola Protected data that are taken outside of Loyola by parties who are contractually bound to handle data produced by Loyola must dispose of paper documents through a bonded and licensed document destruction company, electronic documents through a method that meets or exceeds the standards in the Loyola Secure Deletion standards, or return the documents to Loyola for proper destruction as outlined above
Loyola Sensitive data documents taken outside of Loyola
Any paper or electronic documents containing Loyola Sensitive data that are taken outside of Loyola by employees, student workers, consultants or agents of Loyola University Chicago should be disposed of in a manner consistent with the originating department’s method of disposing of paper documents containing Loyola Sensitive data or returned to the department for proper disposal. Any paper or electronic documents containing Loyola Sensitive data that are taken outside of Loyola by parties who are contractually bound to handle data produced by Loyola must dispose of paper documents through a bonded and licensed document destruction company, electronic documents through a method that meets or exceeds the standards in the Loyola Secure Deletion standards, or return the documents to Loyola for proper destruction as outlined above.
Questions about this policy
If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.
Policy adherence
Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Appendix
Shredder Standards
All shredders used to dispose of Loyola Protected data must meet the following standards:
- Type of cut
All shredders should be cross-cut or confetti-cut shredders. Strip-cut shredders are not permitted.
2. Size of cut
All shredders should produce shreds that are no larger than 5/32" by 1". Shredders that produce larger shreds are not permitted.
Large amounts of paper documents
Departments that will be shredding large amount of paper documents, either on a one-time basis or on an ongoing basis, should use the University's contracted shredding service instead of individual shredders located within Loyola departments.
Bonded shredding service
Loyola uses a contracted 3rd party to provide bonded shredding services. Departments wishing to employ their services should contact the Purchasing department.
ITS Information Security team contact information
For any questions regarding the ITS Secure Deletion procedure or to arrange to have devices picked up for secure deletion, contact the ITS Information Security team atDataSecurity@luc.edu.
History
- March 4, 2008: Initial Policy
- June 19, 2015: Annual review for PCI Compliance
- May 11. 2016: Annual review for PCI Compliance
- May 7, 2017: Annual review for PCI Compliance
- June 11, 2018: Annual review for PCI Compliance
- July 8, 2019: Annual review for PCI Compliance
- May 28, 2020: Annual review for PCI Compliance