Secure Deletion

Secure deletion is vital where there is a chance of the storage device or media being reused, whether internally or externally.  

The Information Security Standard "S.6 Asset Management" applies and must be followed. This can be found from the Information Security Minimum and Required Reading page.

You should note that in some cases it will not be possible to reuse the storage device or media at all as destruction of the storage device or media is the only option to meet the standard. For computers and laptops removal and destruction of the original storage device and replacement with a new one may be another option for secure reuse. 

Exemplar technical processes for wiping encrypted devices that meet the Asset Management standard are also available.

The following methods are not suitable for secure deletion: 

• Moving files to the wastebasket and then emptying it
• Deleting files from the command line
• Formatting the disk 

All these mechanisms only mark the data as being deleted such that the space is available to be reused in the future – they do not actually delete the data itself and it could be recovered by data recovery tools.  

The mechanisms outlined in the Asset Management standard are suitable for secure deletion and should be followed for University owned computers, storage devices or media. Please also note that the BYOD (Bring Your Own Device) standard regarding University data on your own devices also requires that the Asset Management standard be followed when the device is no longer needed. The BYOD standard can also be found from the Information Security recommended reading page.

For your personal storage devices or media we would recommend that – at a minimum – you should do the following: 

• For HDDs (Hard Disk Drives) or other magnetic media use a secure deletion tool to overwrite all the data on the device or media, ideally with multiple passes, even if encrypted.
• For unencrypted SSDs (Solid State Drives) or flash drives if the manufacturer of the device provides a secure deletion tool specifically for that hardware, then use that to securely delete all the data on the device. Generic secure deletion tools may not completely remove all data, and without a specific tool destruction of the drive would be the most secure option.
• For SSDs or flash drives with full disk encryption you should delete the decryption keys - and any backup or recovery keys - for the drive. However, even if the storage device is encrypted, a secure deletion as above is recommended so that it cannot be decrypted in the future. 

Further information from the UK Government can be found on the NCSC (National Cyber Security Centre) website.

The University has a contract for secure waste disposal and more information is available from Waste and Furniture Management in Estates.

Confidential waste (paper and data)

If you are disposing of paper documents that may contain personal or confidential information then shredding the documents before disposal is strongly recommended. You should ensure that a cross-cut shredder is used and that it meets the requirements of DIN 66399 security level P-4 or above - this information will be in the specifications of the shredder.