Secure Equipment & Data Disposal for Philippine Schools

The Forgotten Threat: Data Left Behind

When Philippine schools replace old computers, switch SIS vendors, or cancel cloud subscriptions, the focus is usually on getting the new system running. But what happens to the data on the old one?

In 2019, the hacking group PinoyLulzSec exposed personal data of approximately 20,000 Philippine Army personnel — names, serial numbers, units, and positions. The Philippine Army clarified that the hackers accessed an old database on a third-party internet service provider containing records from 1950 to 2014. The breach happened because sensitive data was left on a decommissioned system that no one remembered to secure or wipe.

If it can happen to the military, it can happen to your school.

Why Schools Are at Risk

Philippine schools regularly:

• Replace old desktop computers in labs and offices — but the hard drives still contain student records, grades, and staff credentials
• Switch SIS or LMS vendors — but the old vendor may retain your school's data indefinitely
• Dispose of printers and copiers — many modern copiers have internal hard drives that store copies of every document scanned or printed
• Cancel cloud subscriptions — but data may persist in backups or shared folders
• Donate old equipment — a generous act that can expose sensitive data if drives aren't wiped

What Data Is at Risk

Old school equipment and accounts can contain:

• Student records — names, grades, LRNs, addresses, medical records
• Staff credentials — saved passwords, browser auto-fill data, email accounts
• Financial records — tuition payments, payroll data, billing information
• Institutional documents — board minutes, disciplinary records, legal correspondence
• Communication history — emails, chat logs, parent correspondence

How to Securely Dispose of Equipment

Computers and Laptops

1. 1Back up any data you still need to your current system
2. 2Wipe the hard drive — deleting files or formatting is NOT enough. Use a data sanitization tool:

- Free option: DBAN (Darik's Boot and Nuke) — boots from USB and overwrites the entire drive

- Windows built-in: "Reset this PC" with "Clean the drive" option (Windows 10/11)

- For SSDs: Use the manufacturer's secure erase tool (Samsung Magician, Intel SSD Toolbox, etc.)

1. 1Document the wipe — record the computer's serial number, date wiped, method used, and who performed it
2. 2Physical destruction for highly sensitive data — remove the hard drive and physically destroy it (drill holes, degauss, or use a certified destruction service)

Printers and Copiers

• Modern copiers store documents on internal hard drives
• Before returning a leased copier or disposing of an owned one, ask the vendor to wipe or remove the internal storage
• Include data sanitization requirements in copier lease agreements

Mobile Devices and Tablets

• Perform a factory reset (this is generally sufficient for mobile devices with encrypted storage)
• Remove all school accounts (Google, Microsoft, etc.) before the reset
• Remove SIM cards and SD cards

Servers and Network Equipment

• Servers require the same treatment as computers — wipe all drives
• Routers and access points — reset to factory defaults to remove WiFi passwords, network configurations, and admin credentials
• NAS/backup devices — wipe all data and destroy drives if the device contained sensitive records

How to Securely Transition Away from a Vendor

When switching SIS, LMS, or any cloud-based service:

1. 1Export your data first — download all student records, grades, and reports in standard formats (CSV, PDF)
2. 2Verify the export — confirm the exported data is complete and usable before canceling
3. 3Request written confirmation of data deletion — ask the old vendor to certify in writing that your school's data has been deleted from their systems, including backups
4. 4Check the contract — review your Data Processing Agreement for data retention and deletion terms
5. 5Set a deadline — give the vendor a specific date (e.g., 30 days after contract end) to complete deletion
6. 6Revoke all access — disable API keys, change shared passwords, remove the vendor's access to your systems

Creating a Disposal Policy

Every school should have a simple equipment and data disposal policy. Here's a framework:

Asset Inventory

• Maintain a list of all equipment that stores or processes student data
• Include computers, copiers, servers, tablets, external drives, and cloud services
• Update the inventory when equipment is added or retired

Disposal Procedures

• Define who is responsible for data sanitization (IT coordinator, DPO, or designated staff)
• Specify the wiping method for each equipment type
• Require documentation for every disposal (date, method, responsible person)

Vendor Transition Procedures

• Require Data Processing Agreements with all vendors that include data deletion clauses
• Document the data export and deletion process for each vendor transition
• Retain confirmation of vendor data deletion for your records

Retention Schedule

• Define how long old equipment is kept before disposal
• Align with your school's data retention policy under the DPA
• Don't keep old hard drives "just in case" — if the data is backed up elsewhere, wipe and dispose

The Lesson from the PH Army Incident

The Philippine Army called the exposed data "old and unclassified." But names, serial numbers, and unit assignments — even from decades ago — can be used for social engineering and identity fraud. The same applies to student data: an old database with student names, grades, and parent contact information doesn't become less sensitive just because it's from a previous school year.

A system you forgot about is a system an attacker will find.

Quick Checklist

• [ ] Inventory all equipment and cloud services that contain student/staff data
• [ ] Wipe hard drives before disposing of or donating any computer
• [ ] Check copiers and printers for internal storage before returning or disposing
• [ ] Request written data deletion confirmation from former vendors
• [ ] Include data disposal clauses in all new vendor contracts
• [ ] Document every disposal with date, method, and responsible person
• [ ] Review and update your disposal procedures annually

Resources

• 10-Point School Cybersecurity Checklist — overall security measures
• How to Choose Secure School Software — includes vendor evaluation criteria
• Data Privacy Act 101 — your legal obligations for data protection