Over the next two years, the Information Commissioner’s Office (ICO) will review the data destruction directive. Julie Pickersgill, operations director of Advanced Digital Dynamics (ADD) Ltd, which provides secure onsite data destruction services, looks this key area of risk management and what business needs to know.
Small and medium sized enterprises (SMEs) ignore the storage and disposal of confidential information at their peril. Following some high profile data security breaches and substantial fines in the public sector, the Government’s regulator is now stepping up its scrutiny of private sector breaches in data laws.
SMEs often misunderstand the impact of failing to have secure systems in place to dispose of private data. Companies falling foul of the law risk their reputation – and possibly their business – as fines can run into six figures for data law breaches.
Data destruction and IT asset disposal are heavily regulated and complex areas but ignorance is not bliss. No matter who deals with the operational aspect of data protection and destruction, the business owner is ultimately accountable.
This is even the case where an external company has been hired to destroy data. A Scottish council was fined £250,000 after sensitive documents were found in supermarket waste bins. The Scottish ICO said the local authority had ‘taken their eye off the ball’ when outsourcing and not carried out sufficient checks on the provider.
Old or redundant IT equipment is often viewed as rubbish, and failure to dispose of it properly leaves many organisations exposed to the risk of both asset loss and data loss, each of which carries a potential fine of up to £500,000.
In my experience less than ten per cent of organisations are compliant with the current regulations regarding IT equipment disposal; I believe this is down to a lack of information and awareness of the associated risks. The majority of organisations are not aware of the risks associated with transporting and storing data prior to destruction, nor are they familiar with the methods required to certify data has been erased or destroyed.
Data Protection Act
Under the Data Protection Act 1998, organisations have a duty of care to ensure that no confidential data collected and held by them is released into the public domain in an unauthorised or accidental manner. Under the 2007 Waste Electronic and Electrical Equipment (WEEE) Directive, there is also an obligation to process redundant IT equipment within certain legal parameters. Assurance and traceability is critical where data destruction is concerned. If data is lost or leaked through the actions of a third party, the organisation remains responsible and could be fined accordingly, by up to 2pc of their annual turnover. Therefore, it is fundamental that data is destroyed, according to the applicable standards with the minimum risk.
Proof
It is not sufficient to simply destroy data: businesses and organisations also have to be able to prove that their data was securely destroyed using approved methods
Predicted changes to regulation
The regulations have already tightened over recent years and they look to continue to do so; as we become more and more reliant on data, the fines have increased along with the regulators powers and their ability and willingness to exercise them, the regulators will not hesitate to levy fines where an organisation has failed under their ‘duty of care’. I believe that over the next few years, the ICO will obtain further powers to audit organisations processes along with mandatory reporting. Those in a business with responsibility for data control will come under increased scrutiny; the regulations that they must adhere too will become even tighter. In addition, there may be regulations imposed on third party contractors however, this will not remove any liability from the business or organisation.
Organisations at risk
All organisations that collect personally identifiable data are vulnerable to these stringent data destruction regulations. But the problem is intensified in larger businesses and organisations where the amount of data and number of data assets is greater, making traceability and accountability much more of a challenge.
Advice
As part of their risk assessment I would strongly advise any business to review their current IT disposal process, and seek the advice of an expert if necessary. Ask yourself these two key questions:
– Can I prove the data has been destroyed against each and every asset prior to disposal or resale? and
– Do our records accurately show when and where each asset transferred ownership?
In the event of an incident or audit you will be required to provide this information to the regulators.
So what are the necessary steps that businesses can take to ensure that they are fully compliant?
– Brush up on the difference between onsite and offsite destruction. Offsite methods increase the risk of losing data before it can be destroyed, whereas onsite methods enable you to stay close to the process and minimise risk.
– Beware of “free recycling” services. Reputable service providers will recycle redundant equipment or sell it on for re-use, and any value realised can be offset against the costs of data destruction and disposal. With an unconditionally free service it is difficult to prove your duty care and due diligence.
– Put someone senior in overall charge of the process, who can bring together relevant departments, allocate responsibilities, and who understands the consequences of poor security procedures.
– Run regular staff training for key people on information security procedures. If necessary bring in specialists to advise.
– Be mindful of data classifications. Aggregation and accumulation of data often occurs at the disposal stage, where assets of all types are merged together, and it is then impossible to distinguish between lower and higher risk types of data.
– Ensure you accurately itemise and identify all equipment marked for removal – and its data bearing status – this should be agreed at the point of sign-over and transfer. Maintain detailed records so that, if required, you can provide full end to end traceability.
– Be vigilant about where any redundant equipment is stored before proper disposal. Stacking PCs in a corridor potentially leaves your accountability in tatters so ensure that access is secure and controlled.
– Don’t be tempted to accelerate the process by removing hard disks before the specialists take over, as these must be tied up with serial numbers on the originating asset to fulfil traceability requirements.
– Be extremely diligent when checking third party credentials and ensure that you are confident about their systems and their personnel. Remember you are still liable for their actions.
– Have robust service agreements in place and carry out regular audits; this will demonstrate that you have carried out your due diligence.
About Advanced Digital Dynamics Ltd (ADD)
Visit www.add4it.com
ADD based in Harrogate, Yorkshire, has been a supplier of computer hardware for 16 years. The company’s services include refurbished second-market servers and component spares; asset management consultancy for companies with large IT footprints; and on-site secure data destruction and disposal of old hardware. ADD is the UK and Ireland distributor for BarracudaWare and StorageCraft data backup products.
