The Data Security on State Computers Act is established to protect sensitive data stored on State-owned electronic data processing equipment to be (i) disposed of by sale, donation, or transfer or (ii) relinquished to a successor executive administration. This Act shall be administered by the Department or an authorized agency. The governing board of each public university in this State must implement and administer the provisions of this Act with respect to State-owned electronic data processing equipment utilized by the university. The Department or an authorized agency shall implement a policy to mandate that all hard drives of surplus electronic data processing equipment be erased, wiped, sanitized, or destroyed in a manner that prevents retrieval of sensitive data and software before being sold, donated, or transferred by (i) overwriting the previously stored data on a drive or a disk at least 3 times or physically destroying the hard drive and (ii) certifying in writing that the overwriting process has been completed by providing the following information: (1) the serial number of the computer or other surplus electronic data processing equipment; (2) the name of the overwriting software or physical destruction process used; and (3) the name, date, and signature of the person performing the overwriting or destruction process. The head of each State agency shall establish a system for the protection and preservation of State data on State-owned electronic data processing equipment necessary for the continuity of government functions upon it being relinquished to a successor executive administration.
For purposes of this Act and any other State directive requiring the clearing of data and software from State-owned electronic data processing equipment prior to sale, donation, or transfer by the General Assembly or a public university in this State, the General Assembly or the governing board of the university shall have and maintain responsibility for the implementation and administration of the requirements for clearing State-owned electronic data processing equipment utilized by the General Assembly or the university.
20 ILCS 450/20