Secure Deletion

Secure deletion is vital where there is a chance of the storage device or media being reused, whether internally or externally.  

The Information Security Standard for Asset Management applies and should be followed. This can be found from the Information Security Minimum and Required Reading page.

You should note that in some cases it will not be possible to reuse the storage device or media at all as destruction of the storage device or media is the only option to meet the standard. For computers and laptops removal and destruction of the original storage device and replacement with a new one may be another option for secure reuse. 

The University IT Reuse project can assist with the reuse of computers, laptops and other devices. 

The following methods are not suitable for secure deletion: 

• Moving files to the wastebasket and then emptying it 
• Deleting files from the command line 
• Formatting the disk 

All these mechanisms only mark the data as being deleted such that the space is available to be reused in the future – they do not actually delete the data itself and it could be recovered by data recovery tools.  

The mechanisms outlined in the Asset Management standard are suitable for secure deletion and should be followed for University owned computers, storage devices or media. Please also note that the BYOD Standard regarding University data on Bring-Your-Own-Device devices also requires that the Asset Management standard be followed when the device is no longer needed. The BYOD standard can also be found from the Information Security Minimum and Required Reading page.

For your personal storage devices or media we would recommend that – at a minimum – you should: 

• For HDDs or other magnetic media use a secure deletion tool to overwrite all the data on the device or media, ideally with multiple passes 
• For SSDs or flash drives if the manufacturer of the device provides a secure deletion tool specifically for that hardware, then use that to securely delete all the data on the device. Generic secure deletion tools may not completely remove all data, and without a specific tool destruction of the drive would be the most secure option.  
• Even if the storage device is encrypted you should still overwrite all the data as this ensures that it cannot be decrypted in the future. 

Further information from the UK Government can be found on the National Cyber Security Centre website

Disposing of physical data

The University has a contract for secure waste disposal and more information is available from the Estates Waste and Recycling site.

If you are disposing of paper documents that may contain personal or confidential information then shredding the documents before disposal is strongly recommended. You should ensure that a cross-cut shredder is used and that it meets the requirements of DIN 66399 security level P-4 or above - this information will be in the specifications of the shredder.