(20 ILCS 450/20)
Sec. 20. Establishment and implementation. The Data Security on
State Computers Act is established to protect sensitive data stored on
State-owned electronic data processing equipment to be (i) disposed of by
sale, donation, or
transfer or (ii) relinquished to a successor executive administration. This Act
shall be administered by the Department or an authorized
agency. The governing board of each public university in this State must implement and administer the provisions of this Act with respect to State-owned electronic data processing equipment utilized by the university. The Department or an authorized agency shall
implement a policy
to mandate that all hard drives of surplus electronic data processing equipment
be erased, wiped, sanitized, or destroyed in a manner that prevents retrieval of sensitive data and software before being sold, donated, or transferred
by
(i) overwriting the previously stored data on a drive or a disk at least 3
times
or physically destroying the hard drive and (ii)
certifying in writing that the overwriting process has been completed by
providing
the following information: (1) the serial number of the computer or other
surplus
electronic data processing equipment; (2) the name of the overwriting software or physical destruction process
used; and (3) the name, date, and signature of the person performing the
overwriting or destruction process.
The head of each State agency shall
establish a system for the protection and preservation of State
data on State-owned electronic data processing equipment necessary for the
continuity of
government functions upon it being relinquished to a successor executive
administration.
For purposes of this Act and any other State directive requiring the clearing of data and software from State-owned electronic data processing equipment prior to sale, donation, or transfer by the General Assembly or a public university in this State, the General Assembly or the governing board of the university shall have and maintain responsibility for the implementation and administration of the requirements for clearing State-owned electronic data processing equipment utilized by the General Assembly or the university. (Source: P.A. 96-45, eff. 7-15-09; 97-390, eff. 8-15-11.)
|