Identifying Data Storage Devices [Core 6(a)(3)]

Q.Under Core Requirement 6.(a)(3), an R2 Facility is required to have a documented process to “identify all data storage devices”. How should an R2 Facility determine if a device has data storage capabilities?  Is reviewing product information from a manufacturer’s website enough to know whether a device may have data on it?

While confirmation of data storage specifications from the product manufacturer can be a useful tool for understanding a device’s data storage capabilities, R2 Facilities should not rely solely on this information.

R2 Facilities must be aware that different devices, and even different models of the same device, can often have different hardware and data storage capabilities that must be accounted for.  So, while information from the manufacturer can be useful, it must be applied only to the specific devices identified by that manufacturer, and not broadly interpreted across a category of equipment.  Consideration should be given to the specific models, versions, operating systems or other specifications that may vary from device to device and therefore can result in other data sanitization needs.

When identifying data storage devices there are two important aspects to consider. 

1. 1. The first is whether the device itself can contain data, and therefore would require either physical or logical data sanitization.  And, if destined for reuse, the device would need to be logically sanitized with appropriate data sanitization software in accordance with Appendix B (10).
   2. The second factor to consider is whether the device is able to connect to user accounts and other online services.  These connections may have the ability to access user data that is stored in locations other than on the device, for example, cloud-based accounts or paired devices.  Appendix B (12) requires that all connections to the remote services be removed so that any accounts or related information cannot repopulate to the device.

Another aspect to account for is the difference between data and general information.  R2v3 defines “data” as “private, personally identifiable, confidential, licensed or proprietary information contained on an electronic device…”  Data always requires sanitization.

“General information” is defined as “publicly available information or information that is provided with the original electronic equipment from the manufacturer.”  General information does not require sanitization.

Clearly understanding the difference between data and general information will help in both the development of the Data Sanitization Plan and implementation of the sanitization methods.

Lastly, when identifying data capabilities, be sure to consider any upgrades or modifications to the device, as well as any accessories it may also contain, such as memory cards.