D5: The information stored on the device must be protected against access when the device is disposed of.

SB11: Information designated level 3 or 4 must be properly disposed of by securely overwriting the information or physically destroying the media when no longer needed, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

U13: Confidential information in any form must be appropriately disposed of when it is no longer needed.