Sitemap
Tel: 0870 3000905
g+ t f
  • WEEE Disposal:

    Providing a collection and recycling service for Clients.

  • Protecting the Environment:

    Managing Hazardous Wastes for Clients since 2005.

  • Assisting Business:

    Providing Consultancy, mitigating risk to the Envionment, Improving CSR.

Why Is Data Destruction So Important?

Data destruction is a term which has become increasingly used in today’s modern technological world. Similar to physical possessions, data or information is a crucial aspect of daily modern business, whether publicly or privately operated. Data may contain information crucial to a Business, may contain proprietary information or may relate directly to members of the public. Failure to fully destroy such data prior to decommissioning of I. T. equipment may inadvertently result in the data entering the public domain. Such inadvertent disclosures may have an adverse impact upon a company or public body, leading to negative media coverage, prosecution, brand damage, loss of revenue and unforeseen internal running costs.

Types of Destruction

 

It is essential that information that is no longer required is securely and irrecoverably removed from all media or that the media itself is fully destroyed. This is the whole purpose of data destruction. The destruction of data or the media on which it is stored can be broadly broken down into non-physical destruction and physical destruction as follows:

 

Non Physical:

  • Binary Wiping or Purging
  • Secure Erase (Hard Disk)
  • Enhanced Secure Erase (Hard Disk)
  • Degaussing (some tape based media)

 

Physical:

  • Degaussing (Hard Disks and Some Tapes)
  • Shredding
  • Granulating
  • Crushing

 

The merits of each type of media destruction are discussed further here.

Failures at all levels

 

Where information about the general public is collected and stored en-mass by a corporate or public entity, the entity itself is regulated as a Data Controller by the Information Commissioners office (ICO) through the purchase of a licence from the Agency. The ICO in itself requires that data controllers comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection.

 

The use of third parties in the provision of a service that destroys data and media does not necessarily absolve the data controller of liability, particularly where the third party fails in its duty to fulfill the allotted task. This is abundantly clear when considering the investigations carried out by and subsequent fines issued by the ICO:

 

In 2013, NHS Surrey was issued with a £200,000 fine after a member of the general public purchased a Hard Drive off eBay that contained the records of 3,000 patients. The Hard Drive had been sent by the NHS trust for destruction by a third party. This turned out to be part of a larger consignment of PCs handed over to a third-party company on the proviso that the hard drives and their data were destroyed. Ten further drives inside PCs that had belonged to NHS Surrey were discovered to have been sold on in this way despite certificates showing their claimed disposal; a further three contained confidential data. (Source: Techworld.com)

 

In May 2012, Brighton and Sussex University Hospitals NHS Foundation was fined £325,000 by the ICO after an incident involving more than 69,000 patient records found on hard disk drives offered for sale on an internet auction site. The drives contained an easily readable database with the names, dates of births, occupations, sexual preferences, sexually transmitted disease test results and diagnoses for more than 67,000 patients. Another database contained the names and dates of birth of more than 1,500 HIV positive patients. It later emerged that 232 hard drives had been sent for secure destruction but were instead auctioned off. (Source: Dailymail.co.uk)

 

24 July 2008 – Under the pretence of recycling, NHS computers have been dumped in Ghana, where their hard drives are mined of your confidential data by criminal gangs… while children die melting down the highly toxic empty shells. (Source: Basel Action Network)

 

The ICO, in it’s latest investigation highlights some severe shortcomings in the contractual arrangements held by some registered data controllers. Reviews of contractual arrangements may, in many instances prevent such breaches occurring and should include:

  • A physical audit of the contractors premises and processes
  • Employ established firms with a good track record
  • Consider financial remuneration for the destruction process

Above all, as stated by the ICO, “We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

The Guidance

 

Ultimately, data destruction aims to prevent confidential information from entering the public domain. However, it can be leaked by many routes, the most prevalent (by volume) being that of end-of-life disposal.

 

The WEEE directive itself introduces one such route by the very virtue of a producer or manufacturer having to provide a “like for like” service whereby the end-of-life unit will be removed for disposal when a newer model is purchased.

 

Similarly, warranties leave the user at risk, as the distributor or manufacturer is inclined to remove the faulty computer when replacing the unit under warranty. However, the disposal of “bulk loads” of end-of-life computer hardware poses the greatest risk to a public or private entity.

 

The process of disposal is at risk from the point of decommissioning (leaving a PC in a public space or by a skip, storing end-of-life equipment in a public area) to final disposal (use of third parties with no prior relationship or history).It is therefore in the interests of the Data Controller to employ measures to reduce the risk. These may include:

 

  • Suitable planning for the decommissioning phase including the setting-aside of secure holding areas
  • Internal Auditing of the Equipment as it is decommissioned
  • Employing Contractors with a Suitable History and suitable evidence to mandate their employment

About the Author: