Stanford community urged to purge unneeded data

The University Privacy and Information Security offices are encouraging members of the university community to periodically purge unneeded computer files.

Recent high-profile incidents at the university and elsewhere have highlighted the importance of periodically reviewing and purging unneeded data.

Today’s expansive and inexpensive data storage systems, coupled with powerful search capabilities, raise the question: “Why should I delete anything at all?”

The answer is simple: privacy and security.  Data have a propensity to spread and persist, and some data include sensitive information. As time passes, these data lose their usefulness. We unwittingly make copies, we forget what is where – and data increasingly become susceptible to unauthorized exposure.

Michael Duff, assistant vice president and chief information security officer, said that data incidents at the university frequently involve someone who is unaware that he or she had stored sensitive data. As examples, he cited:

  • Files copied from a former colleague’s computer
  • Copies of files automatically created from web downloads and by opening email attachments
  • Reports generated from personnel databases
  • Projects from years ago
  • Old student applications including sensitive information

Duff recommends the following steps:

  • Set aside a day for file cleanup, perhaps even organizing an annual “data disposal day” for your department.
  • Quickly scan through all of your files, including those on departmental file shares, AFS, Box/Medicine Box, Google Drive, One Drive, and your own computer.
  • Purge files that are no longer needed, noting that some information must be kept a minimum amount of time per legal requirements or policy (see Administrative Guide Memo 2.1.3 and 3.1.5 as examples).
  • Remove Stanford data from personal (non-Stanford) services, such as a personal Google or DropBox account.
  • If you discover sensitive data that may have been exposed to unauthorized parties, notify the University Privacy Office before making any changes.
  • Shred unneeded paper documents and data CDs.

For additional security tips, see the university’s new secure computing guide.