Destruction of research data must be authorised and documented. You can apply for authorisation to destroy research data by completing an Application to Dispose of University Records form. Destruction of research data should be irreversible. This means that there should be no reasonable possibility that the data could be recovered or reconstituted after it’s been destroyed. Any destruction methods used should be performed safely and in accordance with health and safety requirements.
You must use secure destruction methods to destroy research data containing personal identifying information, personal health information, commercial confidential information, or other sensitive information that needs to be disposed of. For further information on secure destruction techniques, contact ICT via the University Service Desk on +61 2 9351 2000 (select option 2 for ICT) or the Self Service Portal.
If you use any third party service providers such as Iron Mountain for data destruction you must ensure that they’re accredited, that they transport physical media containing sensitive data in a secure manner, and that they provide a certificate of destruction.
Paper documents that don’t require secure destruction can be shredded using a document shredder.
You can request confidential waste services through Campus Infrastructure Services (CIS) for secure destruction of research data in paper form.
Digital data on desktops and laptops:
If you’re storing data on hard drives of laptops or desktops, then you must encrypt your devices using disk encryption tools such as BitLocker (Windows) or FileVault2 (Mac). This can’t ensure the complete deletion of data, but does ensure that any residual data will remain secure and protected even if it’s recovered after deletion.
Digital data on external storage devices:
If you’re using external devices such as USB or flash drives for data backup, then you must again use disk encryption. To securely dispose of data on external devices, the password or key used to encrypt the device must be destroyed. This will render the device unusable.
Digital data on CD, DVD, or Blu-ray:
Optical media disks can be shredded in the same way as paper. Many (but not all) document shredders are also capable of shredding optical disks.
Digital data on the RDS:
You must encrypt highly confidential electronic data (e.g. data with personal identifiers) before it’s stored on the Research Data Store (RDS). To securely dispose of the data, the encrypted files must be deleted from active storage on the RDS and the password or key used for encryption must also be destroyed to prevent the decryption of any copies remaining on the backups of the RDS.
Digital data in REDCap:
REDCap should be used purely for data collection, not for data storage. Once the project is complete you should export your data from REDCap and place it on the RDS. Ideally, you should use REDCap’s ‘De-identification options’ when exporting your data, so that no sensitive information is exported. However, if this isn’t possible and you do need to export identifiable data from REDCap, it must be encrypted before it’s placed on the RDS. Once the data has been exported, the REDCap project must be deleted and the deletion approved by a REDCap administrator. The data will be completely destroyed after one year, once the backups of the REDCap servers have been entirely overwritten.
Digital data on eNotebooks:
At present there’s no method for securely destroying data stored on the LabArchives eNotebook platform, so personal identifying and other confidential information must not be stored on an eNotebook if it may ultimately require secure destruction.