GENERAL ORDERS LINCOLN POLICE DEPARTMENT
SUBJECT: INFORMATION TECHNOLOGY SECURITY
TITLE: DATA DESTRUCTION POLICY
EFFECTIVE DATE: JUNE 1, 2025
REVISION DATE:
ACCREDITATION: ALABAMA ASSOCIATION OF CHIEFS OF POLICE (AACOP)
APPROVAL: CHIEF DARREN E. BRITTON
DATA DESTRUCTION POLICY
1102.1 PURPOSE AND SCOPE
Lincoln Police Department regularly stores sensitive information on computer hard drives and other forms of electronic media. As new equipment is obtained and older equipment and media reaches the end of life, sensitive information on surplus equipment and media must be properly destroyed and otherwise made unreadable to protect Confidential Information or Personally Identifiable Information (PII).
All employees, contractors, consultants, temporary, and other workers at the Lincoln Police Department and its subsidiaries are responsible for exercising good judgment regarding the appropriate use of information, electronic devices, and network resources in accordance with Lincoln Police Department policies and standards, local laws, and applicable regulations. Exceptions to this policy are documented in section 1100.5.2 of the Acceptable Use Policy.
1102.2 POLICY
This policy is designed to address proper disposal procedures for Confidential Information and/or PII from Lincoln Police Department surplus assets prior to their disposal.
This policy applies to the use of information, electronic and computing devices, and network resources to conduct Lincoln Police Department business that interacts with internal networks and department systems, whether owned or controlled by Lincoln Police Department, the employee, or a third party.
1102.3 TRANSFER OR DISPOSITION OF DATA PROCESSING EQUIPMENT
The transfer or disposition of data processing equipment, such as computers and related media, shall be controlled and managed according to Data Protection Policy guidelines. Data remains present on any type of storage device (whether fixed or removable) even after a disc is "formatted", power is removed, and the device is decommissioned.Simply deleting the data and formatting the disk does not prevent individuals from restoring data.Sanitization of the media removes information in such a way that data recovery using common techniques or analysis is greatly reduced or prevented.
1102.4 PROPER SANITIZATION AND DISPOSAL
Proper sanitization and disposal procedures are key to ensuring data privacy and license compliance. Proper disposal and disposition of surplus computer hardware and other storage media manages the risks of security breaches and inappropriate information disclosure. Broadly, exposure to the agency takes the form of:
Violation of Software License Agreements - Most software is licensed for use on either a single computer system, to a single person, or to an organization. Typically, licenses are not transferable. Even when licenses are transferable, there are generally specific requirements that must be met in order to effect a transfer. Allowing third-party access to licensed software without proper transfer of the license may be a breach of the license agreement, and may subject the state or the recipient of the software to claims and/or damages.
Unauthorized Release of Confidential Information or PII - Allowing an unauthorized person access to Confidential Information or PII can subject Lincoln Police Department to claims for damages.
1102.5 DATA DISPOSAL PROCEDURES
All computer desktops, laptops, hard drives, and portable media must be processed through the Information Technology Unit for proper disposal. Paper and hard copy records shall be disposed of in a secure manner as specified by the archiving and destruction policy. The Chief of Police or his or her designee shall ensure procedures exist and are followed that:
Address the evaluation and final disposition of sensitive information, hardware, or electronic media regardless of media format or type.
Specify a process for making sensitive information unusable and inaccessible. These procedures should specify the use of technology (e.g. software, special hardware, etc.) or physical destruction mechanisms for sensitive information that is unusable, inaccessible, and unable to be reconstructed.
Authorize personnel to dispose of sensitive information or equipment. Such procedures may include shredding, incinerating, or pulp of hard copy materials so that sensitive information cannot be reconstructed. Approved disposal methods include:
Physical Print Media shall be disposed of by one (or a combination) of the following methods:
Incineration – Materials are physically destroyed using a licensed and bonded information disposal contractor
Shredding Bins - Disposal shall be performed using locked bins located on-site using a licensed and bonded information disposal contractor
Shredding - Media shall be shredded using Lincoln Police Department issued cross-cut shredders
Electronic Media (physical disks, tape cartridge, CDs, printer ribbons, flash drives, printer, and copier hard drives, etc.) shall be disposed of by one of the methods:
Physical Destruction – implies complete destruction of media by means of crushing or disassembling the asset and ensuring no data can be extracted or recreated
Degaussing - Degaussing consists of using strong magnets or electric degaussing equipment to magnetically scramble the data on a hard drive into an unrecoverable state
Overwriting Magnetic Media - Overwriting uses a program to write binary data sector by sector onto the media that requires sanitization
IT documentation, hardware, and storage that have been used to process, store, or transmit Confidential Information or PII shall not be released into general surplus until it has been sanitized and all stored information has been cleared using one of the above methods.
1102.6 AUDIT CONTROLS AND MANAGEMENT
On-demand documented procedures, and evidence of practice should be in place for this operational policy as part of the Lincoln Police Department's internal application development and release methodology.
Examples of control documentation include:
On-demand documented procedures related to surplus disposal of hardware and software
Data destruction and surplus logs of equipment identified for disposal
Physical evidence of sanitized assets and/or data destruction/cleansing devices
1102.7 ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
These policies and operating procedures are not designed to cover every possible scenario or situation in society, but rather to define standard operating procedures for members of the Lincoln Police Department. These guidelines are subject to past, present and future judicial review. These guidelines can be amended and or repealed by the Chief of Police as necessary. The policies and procedures herein provided supersede all previous policies and orders.