Reduce PII Loss by Proper Disposal/Sanitization of Unclass Equipment
By DON CIO Privacy Team - Published, February 1, 2009
During the past year, the Department of the Navy has experienced problems relating to turning in excess information technology and office equipment that contain personally identifiable information (PII).
Disposed equipment most commonly found to contain PII includes: office desks, safes, file cabinets, copiers and computer hard drives. Recent audits by the Department of Defense Inspector General and the Naval Audit Service confirm that DON turn-in procedures have not been consistently followed, are inadequate or are out of date. While much of the turn-in process involves the Defense Reutilization Office (DRMO), Navy Marine Corps Intranet (NMCI) or other DON network owners, the local command or unit is responsible for information security, physical security and property accountability for all excess unclassified equipment awaiting sanitization, shipment to DRMO or release to another DoD component or donation activity.
The following is a list of lessons learned that should be considered by local commands or units when preparing equipment for disposal.
- Use DRMS INST 4160.14, dated May 12, 2008, which provides guidance on the turn-in of excess equipment to DRMO.
- Remove all drawers in desks and file cabinets to ensure stray documents are removed.
- Ensure all lockable drawers or cabinets are open for inspection.
- Refer to ASD Memo “Disposition of Unclassified DoD Computer Hard Drives,” dated June 4, 2001, which provides specific instructions on how to dispose of hard drives in the DoD.
- Use NSA approved sanitization equipment to properly overwrite and degauss excess unclassified hard drives.
- Ensure copier hard drives have been properly overwritten and degaussed.
- Develop written policies and procedures to clearly define local command/unit roles and responsibilities.
- Provide training for all personnel on how to accurately prepare and process excess unclassified IT equipment before forwarding to DRMO.
- Use the web-based Electronic Turn-in Document (ETID) system for all equipment bound for DRMO.
- Ensure verification labels are placed on all hard drives that have been degaussed and overwritten.
- Keep accurate destruction and turn-in records for a minimum of five years.
For questions regarding privacy, contact Steve Muck, DON CIO Privacy Team lead, firstname.lastname@example.org