Scope
This policy shall define a minimum standard as it relates to the acquisition and disposal of multifunctional devices, copiers, and similar devices. All activities and documentation shall be performed in such a manner that evidence of the activity can be reviewed by auditors or the University Information Security Offices.
This policy applies to all University of Rochester (UR) persons, which is defined to mean all staff, faculty, physician, volunteers, contractors and students of the University, the University itself, including all University divisions, departments, offices, and affiliates. The Policy also applies to agents and vendors of the University.
All UR persons who use MFDs, copiers, scanners, printers, fax machines and other devices that may contain hard drives or other media that store data must follow this policy in acquiring, maintaining and disposing of them. This policy does not pertain to medical equipment, like CT scanners or MRI machines.
Purpose
Multifunctional Devices (MFD), Copiers, Scanners, Printers, Fax machines and other devices may contain hard drives or other media that store data such as images of pages that have been copied, printed or faxed. The data on these devices, in unencrypted form, may be retrieved by a person with some prior technical knowledge. The data stored on these devices may contain High-Risk Information, such as student, patient and employee “Personal Identifying Information” or “Protected Health Information”.
This Policy is intended to prevent unauthorized disclosure of High-Risk Information and to comply with state and federal laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the New York State Social Security Number Disposal Act.
Leased MFD or Copiers
The current preferred University print vendor is available to assist with leases or purchases of MFD, copiers, printers and other similar devices. In some cases, leases or purchases must be completed through the the current preferred University print vendor as more fully described below.
- All leases of devices outlined above must be arranged through Corporate Purchasing.
- In URMC Divisions including off-site locations, all leases must be completed through the current preferred University print vendor which will work with Corporate Purchasing.
- In all leases handled by Corporate Purchasing and the current preferred University print vendor, the lease agreement will require cleaning of stored data from the equipment or surrender of the storage media to the University at the end of the lease. Cleaning may be done by the University, the current preferred University print vendor or the lease vendor, and maybe included as part of the lease or purchase cost.
Purchased MFD or Copiers
The current preferred University print vendor, is available to assist with the purchases of MFD, copiers, printers and other similar devices. In some cases, the purchases must be completed through the current preferred University print vendor, as more fully described below.
- All purchases of devices outlined above must be arranged through Corporate Purchasing.
- In URMC Divisions, including off-site locations, all purchases of MFDs and copiers must be completed through the current preferred University print vendor.
Purchase of Laser Printers, Scanners, Fax Machines and other office devices
Purchases of devices such as laser printers, scanners, fax machines, and digital recorders that do not have a hard drive can be made in any way allowed by University Policy and approved by Corporate Purchasing.
Disposal of Purchased Equipment
For all equipment that was not acquired through current preferred University print vendor, care should be made to ensure that the device is disposed of properly. This includes:
- Purchased MFDs, copiers and any other device which may contain some type of storage media which must be disposed of in the same manner as computer equipment.
University IT maintains a contract with a vendor that securely destroys internal storage media before recycling or reselling equipment. For more information on equipment disposal see IT Equipment Recovery Program
Internal Transfer of Equipment
Any MFD, copier or device that may contain storage media that is put into the University’s surplus property program or directly transferred to another University department or individual must be cleaned of stored data before it is transferred from the “selling” department. The IT Equipment Recovery Program or the current preferred University print vendor will perform this function for any department that lacks the expertise or resources to do this.
Temporary Equipment
Occasionally it is necessary to contract for temporary use of equipment, e.g. for high-volume copying jobs. Any agreement for temporary equipment must include in writing that the vendor clean all stored data off the machine before removing it from University property. The department requesting the temporary equipment is then responsible for identifying the need to clean all stored data and for ensuring that the vendor performs this function.
Disposal of Credit Card Terminals
Users of credit card processing machines must be disposed of through University IT Equipment Recovery Program.
Sanctions
Violations of this Policy can result in disciplinary action up to and including separation from the University and/or exclusion from University programs and facilities.
Definitions
Multifunctional Device (MFD): considered to be an office machine which
- incorporates more than one component of functionality (e.g. copying, scanning, printing)
- has a hard drive or other method for data storage