Secure Reuse and Recycling for Yale IT Systems
Yale Policy and Standards require IT systems to be re-purposed and recycled securely. This page provides the details for the proper reuse and recycling of Yale IT Systems.
It may feel that there is a new piece of technology or IT System introduced to us every day. The newest smartphone, a faster laptop, a sleeker-looking desktop computer. Other times, our older, reliable devices are too out of date to keep up with the latest and greatest software.
Either way, it means out with the old, in with the new. But before we get rid of the old, we need to ensure we are protecting the data the system stored. You may be throwing the old device away (recycling, of course) or passing it down to a new owner (repurposing).
Either way, you need to ensure you delete all the data on the system completely and securely.
Before repurposing or recycling any IT System, you must delete the data. Only "erasing" or "deleting" files does not remove them from the storage on an IT System. A user can still extract the data in many ways, putting the data at risk of unauthorized access. Follow this guideline to securely remove data for your old IT System.
Recycling Yale IT Systems
To recycle your IT System, follow Yale's Environmental Health and Safety (EHS) process. This process is required for any IT System used at Yale, despite its classification. These requirements come from Yale 1610 PR.01 and Yale's Minimum Security Standards (MSS). The EHS process destroys the computer's hard drive to minimize the risk of data loss.
Re-purposing Yale IT Systems
If you are repurposing an IT System, there are a few steps to follow. These steps are required for all IT Systems that store High-Risk data. These requirements come from Yale Policy 1609 and Yale's Minimum Security Standards (MSS). You may need to engage your local IT Support Provider to follow this process in its entirety.
What you need to know:
- Where the IT System is coming from (who uses it now? was it used in Yale's covered entity?)
- Where the IT System is going (who will be the new user of the device?)
- Will the new user be using it for Yale business or for personal use?
This information tells your local IT Support Provider how to re-configure the device securely. The steps to securely configure a device for reuse are below. This is a technical process that your local IT Support Provider can complete for you.
Re-purposing IT Systems for Yale Business
- Ensure the device is whole-disk encrypted.
- Re-image the device and configure it to meet the MSS for the risk classification. The classification should be based on the new use of the device.
For example, you are re-purposing a laptop that will now be used to access moderate-risk data. That laptop must be configured to meet the moderate-risk Minimum Security Standards (MSS).
Re-purposing IT Systems for personal use
Instructions for re-purposing an IT System for personal use depends on how the system is set up. For instructions on re-purposing Windows, Mac, and other system types, see below:
For Windows systems with a TPM Chip:
- Ensure the device is whole-disk encrypted.
- Clear the TPM chip. You can visit the ITS KB article for instructions on how to clear a TPM chip.
- Verify you cleared the TPM chip by rebooting the device. You should be at the BitLocker recovery screen.
- Perform a fresh OS install using manufacturer-provided media. You cannot use the Managed Workstation (MW) image for this use case.
For Mac systems:
- Ensure the device is whole-disk encrypted.
- Repartition the hard drive. You can visit the ITS KB article for instructions on repartitioning the hard drive.
- Perform a fresh OS install using manufacturer-provided media. You cannot use the Managed Workstation (MW) image for this use case.
For all other system types:
The following instructions apply to both a Mechanical and Solid State Drive (SSD). There are two options for securely deleting data from these system types.
Option 1:
- Ensure the device is whole-disk encrypted.
- Perform a fresh Operating System (OS) install using manufacturer-provided media. You cannot use the Managed Workstation (MW) image for this use case.
Option 2:
- Ensure the device is whole-disk encrypted.
- Remove the hard drive. Shred the hard drive by following the Yale Environmental Health and Safety Process.
- Replace the hard drive. You cannot use the Managed Workstation (MW) image for this use case.
Re-purposing IT Systems from Yale's HIPAA Covered Entity
When a device is leaving the covered entity, there are extra precautions we need to take. If the IT System was used in Yale's HIPAA covered entity, you may need to fill out a Chain of Custody form.
When is a Chain of Custody form required?
If the IT System is leaving the covered entity, Yale requires a Chain of Custody form. Yale requires this form if the IT System is being re-purposed for Yale business or for personal use. Examples include:
- An IT System is leaving Internal Medicine for reuse in the Math department. Internal Medicine is part of the covered entity. The math department is not a covered entity. In a scenario like this, follow the steps for IT Systems being re-purposed for Yale business. Then, complete the required Chain of Custody form.
- A doctor from a covered entity (e.g. Internal Medicine) is re-purposing the device for personal use. They will take the laptop home and will not use it for Yale business. In a scenario like this, follow the steps for IT Systems being re-purposed for personal use. Then, complete the required Chain of Custody form.
Download the Chain of Custody Form
Note: A Chain of Custody form is not required when the device is staying in the covered entity.
For example, a device was used in the Internal Medicine department. It is now being repurposed for use in the Surgery Department. In this scenario, follow the steps for IT Systems being re-purposed for Yale business. No further action is required.
Need Help?
- For help with setting up a device to be recycled or reused securely, contact your IT Support Provider.
- For questions or concerns about the processes on this page, email Information Security.