Recordkeeping In Brief 51 - Destroying digital records: When pressing delete is not enough
- Requirements for destroying digital records
- What is digital record sanitisation?
- Why is digital record sanitisation necessary?
- Sanitisation methods (including destruction)
- How to determine which method to use?
- Risks related to not appropriately destroying digital records
- Documenting records destruction
- Special media formats
- For more information
This RIB applies to the destruction of digital State records that is done as part of a program of authorised records disposal in accordance with Part 3 of the State Records Act 1998. For more information on disposing of State records, see Recordkeeping in Brief 48: Disposal at a glance.
This RIB does not address the destruction of hardcopy records. For more information on this refer to the State Records' Guideline 3 Destruction of Records: A Practical Guide.
The destruction of digital records is different to the destruction of hardcopy records. In particular, simply pressing 'delete' does not necessarily mean that the records are completely gone; while the link used to access them may be removed, they may still exist in a data store or on a server in the organisation. In other words, the deletion of a file or the reformat of a hard drive may not always be adequate. As far as possible the destruction of records should be irreversible with no reasonable risk of the information being recovered again.
As it is increasingly difficult and expensive to completely destroy a digital record, methods of digital records media 'sanitisation' have been devised to help organisations to implement digital records destruction.
Digital records sanitisation or media sanitisation is the process of erasing or overwriting data stored on digital media. Sanitisation is implemented both nationally and internationally and the extent of sanitisation used generally depends on the classification of the record. For example if a record is classified as 'Highly Protected'  , then the media on which the record is stored must undergo the most extreme sanitisation (complete physical destruction) so that reconstruction is deemed impossible.
For public offices to maintain appropriate control over the destruction of digital records stored on digital media, some media may need to be sanitised at appropriate times and by appropriate methods. There are many horror stories of information abuse and illicit information collection through the obtainment of hardware that has not been appropriately 'cleaned' or sanitised.
Any record stored on digital media is particularly vulnerable to abuse and illicit collection. Appropriate methods need to be taken to ensure that when a record that is stored on digital media is ready to be legally disposed of, it is safeguarded against potential misuse.
Not all media can be sanitised. Some media must be destroyed. Media that is suitable for sanitisation includes some magnetic media, erasable programmable read only memory (EPROM), electronically erasable programmable read only memory (EEPROM), volatile memory and non-volatile memory devices such as USB removable media, pen drives, thumb drives, flash drives and memory sticks. Other examples of media that can be sanitised include electrostatic memory devices within printers and photocopiers and video screens.
It is important that the organisation has proper policies and procedures in place to demonstrate when and how digital records have been destroyed. Any information found on digital media within a public office can be subject to GIPA Act applications, discovery orders, subpoena and standing orders. However, if a public office has correctly destroyed digital records, time and resources can be saved on searching and reconstituting as it is assumed that as the record was irrevocably sanitised or destroyed according to proper procedures and methods, it cannot be reproduced.
|Clear / overwrite||Using a method that clears records from media protects the record stored on that media from a keyboard attack (a keyboard attack is the search for data from resources available to the normal system users by an unknown entity).
Simple deletion is not the same as clearing as it is usually only removing the link within the system rather than removing the record. For media to be cleared the record must not be able to be retrieved through disk or file recovery utilities.
A typical and widely used example of clearing media is overwriting.
|Purge||Purging the media ensures that the information can not be recovered in a laboratory attack (a laboratory attack is a means of reconstructing information from digital media using nonstandard systems operating outside the media's usual working environment).
Purging differs from clearing, in that clearing is hiding the data under layers of nonsensical data (often new data can then be placed on top of the nonsensical data) whereas purging is randomising data so that it is no longer readable.
Some disk drives, especially those manufactured after 2001 may be sufficiently purged by using a clearing method such as overwriting.
Degaussing is an acceptable method of purging media which involves the exposure of magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains.
|Destruction||Destruction is the most extreme form of sanitisation and ensures that the media is drastically altered and can never be reused.
There are various methods of destruction including shredding, disintegration, incineration, and pulverisation and melting.
It is important to remember that the issue of digital records destruction is not driven by the media on which the record is stored, but by the information that forms the record that has been placed on the media. In this regard, deciding which method to use to dispose of the media should be done through a risk assessment of the record itself.
The most basic way to decide on which method to use is to have the records already classified with sensitivity labelling (completed long before their disposal). To do this, public offices need to undertake a risk analysis of the information within the records contained on digital media to determine the sensitivity of the record and align the classification with a sanitisation technique. For more information on labelling sensitive information, refer to the Department of Commerce - Government Chief Information Office guideline - Guide to Labelling Sensitive Information.
There are a range of media sanitisation products available. The Australian government has listed some of these on the evaluated product list (EPL). The EPL is a list of products that have been evaluated against set criteria and rated accordingly. Where possible it is recommended that a sanitisation product is selected from this list. For more information please refer to the Australian Government Defence Signals Directorate Evaluated Product List.
|Sensitivity classification based on NSW Department of Commerce Guidelines||Recommended sanitisation (including destruction) levels|
Unclassified information is the least controlled information in the realm of every day use by governments. For unclassified digital records generally overwriting is sufficient. Media containing unclassified information that is to be considered for reuse or donation must be overwritten at least three times (see X-in-confidence).
Unknown, unclassified information stored on electronic media may sit outside of the public office's recordkeeping system. An example of this kind of information is legacy files from another organisation. A risk assessment may need to be carried out to determine the level of sanitisation or destruction for these uncontrolled entities.
Where records are determined to be X-in-confidence (for example, Commercial in confidence, Personnel in confidence, Cabinet in confidence), the sanitisation method recommended is to clear. The majority of classified records within a public office are usually classified X-in-confidence.
To clear digital media, public offices must use hardware or software products to overwrite the storage space on the media with non-sensitive data. The most widely used method is to overwrite once using only 0s and once again using only 1s and finally overwrite using random data to the entirety of the media. This goal of overwriting is to replace written data with random data.
For 'X-in-confidence' records, the media itself does not need to be destroyed and may be reused.
Records stored on digital media that are deemed 'Protected' should be sanitised using the purging method.
The most common method of purging media is through degaussing. Degaussing involves exposing the media to a strong magnetic field in order to randomise the data on the media. A degausser is a device that delivers this magnetic field usually through using a strong magnet or electromagnetic coil.
Some firmware (firmware is a program that is sometimes embedded in hardware) for overwriting is acceptable as purging. Please see the manufacturer's recommendation or discuss with ICT staff.
Often this method will render the media unusable. Therefore it should only be used for media on which all the records are due for destruction.
Digital records that are highly protected should be destroyed without any chance of reconstitution. This means that the media is completely unusable and any information is beyond recovery.
Destruction methods include disintegration, melting, pulverisation, shredding and incineration and are usually carried out by licensed organisations. It is recommended that a member of the public office witnesses the destruction of highly protected records and that a certificate (where possible) is issued. This also applies in cases where the destruction is carried out by a third party such as a commercial records storage provider.
If records are recovered from media that was not appropriately sanitised there is a risk that the public office could be held negligent under State and Commonwealth law. A public office may also be liable to in regards to legislation such as the Privacy Personal Information Protection Act 1998 if digital records that are no longer in use are not properly destroyed and personal information is inadvertently or advertently released into the public sphere. Recordkeeping systems that provide evidence of consistent and routine procedures for the destruction of digital records may protect a public office in negligence or other claim. Information from recordkeeping systems can also be produced in response to discovery requests and standing orders thus avoiding the potential exertion of time and effort in locating or reconstructing records required.
In the case that a public office may be subjected to a discovery order, information requested that may be found as a digital record, may be ordered for reproduction regardless of whether the record is still in use for business purposes of not. Steps taken and documented to destroy the record may be a time and money saving exercise.
It is also important to note that according to the State Records Act records retained by a public office, even after they are no longer in use, must still be accessible. This means that the cost of retaining a record will continue even if the record is no longer in use.
As for any records destruction, the destruction of digital records should be documented. This can be done in records management software or by a more manual method. The minimum requirements for documenting records destruction are:
- the date of the destruction
- identification of who/what undertook the destruction
- an authorisation reference for the transfer or destruction (e.g. FA234 2.4.5; GA27 1.2.3; By court order; NAP etc.)
According to the Australian Government Information and Communications Technology Security Manual, it is recommended that some media, regardless of sensitivity labelling, be destroyed rather than using other sanitising methods. This is because certain media cannot be sanitised due to their nature and hence must be destroyed. This media includes:
- Optical disks, including CDs and DVDs
- Printer ribbons
- Programmable read-only memory
- Read-only memory
For more information on sanitisation and destruction methods please refer to the Australian Government Information and Communications Technology Security Manual (ASCI33).
- It is recommended that all media that is to be reused in a new environment be sanitised appropriately. This includes media that is being reused for a higher classification of record.
- The clearing of media must be commensurate with the highest level of classification assigned to information stored on that media.
- Before any media is sanitised it is strongly recommended that business owners of the record be consulted as well as Right to Information (RIO) officers and any other position that advises on security and privacy.
- Digital technologies are constantly changing especially in regards to processing speeds and storage capabilities. These new technologies may require new clearing and purging methods not listed here.
- It is recommended that the authorised destruction of digital records is done in a timely manner. Retaining accumulations of digital records that are no longer for business purposes and are eligible for destruction, on the basis that the storage media is cheap, may be a false economy. Dealing with the destruction of digital records in a planned and systematic way will reduce risks to the organisation of digital record ending up in the wrong hands.
Australian Government Department of Defence - Defence Signals Directorate, Australian Government Information and Communications Technology Security Manual (ASCI33), 2007
Australian Government Department of Defence - Defence Signals Directorate, Evaluated Product List, 2007
Department of Commerce - Government Chief Information Office, Guide to Labelling Sensitive Information, 2002
Department of Culture and the Arts, Government of Western Australia State Records Office of Western Australia Guidelines Sanitizing of Hard Disks and Magnetic Media, 2008
National Institute of Standards and Technology, Computer Security Division, Guidelines for Media Sanitization, 2006 (US)
NSW State Records Guideline No. 3 Destruction of Records: A Practical Guide, 1996 revised 2000, 2003, 2005
 Department of Commerce Government Chief Information Office, Guide to Labelling Sensitive Information, October 2002.
© State of New South Wales through the State Records Authority, 2008.
First published 2008
This work may be freely reproduced and distributed for most purposes, however some restrictions apply.