Delete or destroy data and devices

🎓 Purpose

Part of proper data and device (asset) management is the secure deletion (sanitization) and destruction of data when it is no longer required for a project and not suitable for preservation or subject to retention or archiving requirements.

👥 Audience

FACULTY RESEARCHERS ADMIN STAFF IT STAFF STUDENTS

🔖 Contents

Initial considerations

Data retention; preservation or archiving.

Increasingly, there are legal, regulatory, and policy-based obligations or academic and public value to the long-term storage of data produced at the University.

Administrative data

https://utarms.library.utoronto.ca/records-management/uoftfileplan

Research data

https://onesearch.library.utoronto.ca/researchdata/retention-and-preservation

Consult ethics protocols and other agreements.

Is your data or your obligation to securely delete it covered by other binding documents or contracts?

Human ethics or animal use protocol.

Ethics/use protocols will need to specify for how long your data is to be retained, if it will be deposited into a long-term solution, and how it will be securely deleted.
If you are unsure about your obligations, please contact the relevant ethics unit.
- https://research.utoronto.ca/ethics-human-research/ethics-human-research
- https://research.utoronto.ca/ethics-animal-research-teaching/ethics-animal-research-teaching

Agreements (Data sharing [DSA], material sharing [MTA], etc.)

Research contracts and agreements can include language around how data can be retained or how it should be deleted upon the conclusion of the contract, agreement, or project.
Contact the relevant contract and agreements office regarding sponsor or data provider requirements.
- https://research.utoronto.ca/research-innovation-agreements/research-innovation-agreements

Determine your data's classification.

Classifying your data is the first step to knowing what methods are required to properly delete or destroy it.
- Classify data

\uD83D\uDCD8 What can I do?

For confidential, sensitive, restricted, or regulated data (Level 3 or 4)

Data is unrecoverable only if stored on an encrypted device. Encrypt data and devices

Cross-platform

Sanitize a device
- Your motherboard or drive manufacturer might provide a proprietary sanitization utility.
- https://partedmagic.com/
- https://dban.org/

Cloud services

Contact provider regarding secure data deletion pipeline.

Physical data

Commercial shredding. Contact your local IT group for recommendations: https://uoft-infosec-cf.atlassian.net/wiki/spaces/ISH/pages/4948958/Additional+help#%F0%9F%96%A5%EF%B8%8F-Information-Technology-(IT)
- Ensure that you receive a Certificate of Destruction for your records.

For non-sensitive, non-public data (Level 2)

Data could be recovered with difficulty.

Windows

Delete a file
- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
Delete all data from a device
- https://support.microsoft.com/en-us/windows/create-and-format-a-hard-disk-partition-bbb8e185-1bda-ecd1-3465-c9728f7d7d2e
  - Do not perform a “quick format”.

MacOS

Delete a file
- Delete file and empty Trash .
Delete all data from a device
- https://support.apple.com/en-ca/guide/disk-utility/dskutl14079/mac
  - Do not select “fastest” under “security options”.