Sanitize Devices and Media Before Disposal
University-owned devices must be sanitized before disposal or transfer. That means they must be erased, overwritten, or destroyed so that data cannot be recovered using normal system functions or software data recovery utilities.
U-M Property Disposition is responsible for the disposal or resale of all university property, including all computers and storage media devices, designated as surplus by U-M schools, colleges, and units. All UM-owned devices sent to Property Disposition must be either accompanied by a certificate of sanitization/destruction, use the KillDisk fingerprint option, or request sanitization or physical destruction by Property Disposition. Property Disposition accepts devices and does the sanitization or destruction for you for a fee.
How you sanitize or request sanitization of a device or storage media depends on the type of device/storage and who manages it. Types of devices or media that must be sanitized includes, but are not limited to:
- Computer hard drives. Computer hard drives might be installed in a computer, or in an external enclosure, and may include solid state drives (SSDs).
- Tapes (magnetic media). Reel-to-reel backup tapes, cassette tapes.
- Optical media. Compact disks (CDs), DVDs, and blu ray disks.
- USB drives. Thumb drives and other USB or similar drives.
- Mobile devices. Phones, tablets, and other portable devices that may hold or be used to work with data.
- Printed materials.
The following options are available for disposing of UM-owned devices:
- MiWorkspace-managed devices. Return these to Neighborhood IT for proper sanitization and disposal. Contact your local support person or the ITS Service Center.
- Michigan Medicine devices are managed by Health Information Technology & Services (HITS). To turn in old or unused equipment, visit the Michigan Medicine Help Center (help.med.umich.edu) and use the Turn in Computer Equipment catalog item for equipment to be properly disposed of.
- U-M departmentally-managed devices. Check with your department for your department's preferred disposal method. You or your department can avoid fees by following these do-it-yourself directions:
- Windows, and Unix/Linux: Use KillDisk, select NIST 800-88 1 pass random erase method.
- Mac w/ HDD | Secure Erase: Utilize Secure Erase via Disk Utility to erase and overwrite data 7 times over the entire disk.
- Mac w/ SSD before T2 Chip: Cryptographic Erase via FileVault Encryption - Ensure FileVault is turned so the drive is encrypted. Erase the drive via Disk Utility, which will erase the encryption key. Without the cryptographic/encryption key, data on the drive cannot be read even if the data was somehow recovered from the drive.
- Mac w/ SSD & M1 Chip or T2 Chip: Cryptographic Erase via Erase All Content & Settings. Erase All Content & Settings is another crypto-erase feature introduced with Apple's file encryption methodology called Data Protection.
- iOS devices
- Android Devices
- Chrome devices
- U-M fee based services.
- ITS Tech Repair offers Secure Device Sanitization services for individuals and U-M departments, as well as assistance moving data to a new device if needed.
- Copiers and multi-function devices: The U-M Managed Copier Program leases copiers and multi-function devices for units and departments. See Copier and Multi-function Device Data Security.
- Device Transfers Between U-M Units
- Internal transfer within a department:
- If the U-M employee to whom the university-owned device will be transferred is authorized to view any data the previous employee may have saved on the device, it is up to the unit to determine what, if any, data sanitization or secure device wiping is necessary prior to the transfer.
- If the new recipient is not authorized to view data saved on the device, unit IT must sanitize the device according to the process described in Erase or Destroy U-M Devices ranging from secure deletion of specific files to complete sanitization before transferring to new employee.
- Transfer between departments:
- If a U-M employee transfers from one U-M department to another and the new unit wants to purchase the device for the transferring staff member to continue using:
- Unit IT for the department being left must determine whether there are any unit-specific data or files classified at Restricted, High, or Moderate or unit-licensed management systems or software that the departing employee should no longer have access to and consequently what data sanitization or secure device wiping is necessary prior to the transfer; once device is properly sanitized, Unit IT requests price from Property Disposition to be paid by staff member's new department or the unit can choose to transfer the device at no charge.
- Before a U-M unit transfers unneeded computers or storage media to another U-M unit (unit does not know who the new user will be), the devices must be sanitized according to the process described in Erase or Destroy U-M Devices.
- If a U-M employee transfers from one U-M department to another and the new unit wants to purchase the device for the transferring staff member to continue using:
- Internal transfer within a department:
- Transfer to original user for personal use:
- Devices being purchased from U-M units by U-M staff members require consultation with U-M Property Disposition. Property Disposition will determine the price to be paid by staff member.
- Unit IT staff must perform a secure erasure (computers) or a reset to factory settings (mobile devices) on the device to be sold. Unit IT staff may help back up and restore personal data at their discretion, but cannot restore or transfer U-M data or UM-purchased software to the device being sold.
- Personal devices used for U-M work. See Erase Personal Devices Before Disposal.
Physical Destruction for Secure Disposal
When devices, drives, or media are inoperable, it may be necessary to destroy them to ensure secure disposal. Destruction may also be required by some laws or regulations governing certain types of data.
- Ask Property Disposition to destroy a device. Property Disposition shreds drives or other media in its on-site shredder for $1 per device.
- Destroy a device yourself (strongly discouraged). See Destroy Devices and Media for instructions.
Certificates of Destruction Required for U-M Devices Declared as Surplus
You are required to provide a Certificate of Destruction when taking U-M owned devices to Property Disposition if you have completed one of the secure disposal methods identified above or destroyed a device . The Certificate of Destruction must accompany the U-M Property Disposition Declaration of Surplus Form which is also required for all U-M property that a department or unit no longer needs.
- If you execute KillDisk to securely erase a device, the program will automatically generate a Certificate of Destruction at its conclusion.
- If you use another method to securely erase or physically destroy media or devices, you must attach a completed copy of this Certificate of Destruction (PDF) to the equipment when you bring it to Property Disposition. If you are bringing multiple of the same media or device make and model, you can provide one certificate that lists individual serial numbers of each device. Your unit is required to maintain a scanned or hard copy of the Certificate of Destruction for three years after disposing of the device or media. You can download the certificate to Google Drive or your computer to fill out as an interactive PDF, or you can print it and fill it out by hand.
If you do not attach a certificate matching the equipment you are dropping off, or use the KillDisk fingerprint option when erasing a device, Property Disposition will process the equipment as if it was not erased or destroyed, and your department will be charged the standard fees for secure erasure or device destruction. If you would prefer, you can also take advantage of Property Disposition's secure erasure and disposal service.
You are also responsible for destroying any printed or paper copies of sensitive U-M data or records that no longer need to be retained. See Shred Sensitive Paper Documents for best practices.
Applicable University Policies
You are responsible for complying with the policies and standards below. The instructions on this page help you meet that responsibility.