Providing a collection and recycling service for Clients.
Managing Hazardous Wastes for Clients since 2005.
Providing Consultancy, mitigating risk to the Envionment, Improving CSR.
Data destruction is a term which has become increasingly used in today’s modern technological world. Similar to physical possessions, data or information is a crucial aspect of daily modern business, whether publicly or privately operated. Data may contain information crucial to a Business, may contain proprietary information or may relate directly to members of the public. Failure to fully destroy such data prior to decommissioning of I. T. equipment may inadvertently result in the data entering the public domain. Such inadvertent disclosures may have an adverse impact upon a company or public body, leading to negative media coverage, prosecution, brand damage, loss of revenue and unforeseen internal running costs.
It is essential that information that is no longer required is securely and irrecoverably removed from all media or that the media itself is fully destroyed. This is the whole purpose of data destruction. The destruction of data or the media on which it is stored can be broadly broken down into non-physical destruction and physical destruction as follows:
Where information about the general public is collected and stored en-mass by a corporate or public entity, the entity itself is regulated as a Data Controller by the Information Commissioners office (ICO) through the purchase of a licence from the Agency. The ICO in itself requires that data controllers comply with eight principles of the Data Protection Act, which make sure that personal information is:
The use of third parties in the provision of a service that destroys data and media does not necessarily absolve the data controller of liability, particularly where the third party fails in its duty to fulfill the allotted task. This is abundantly clear when considering the investigations carried out by and subsequent fines issued by the ICO:
The ICO, in it’s latest investigation highlights some severe shortcomings in the contractual arrangements held by some registered data controllers. Reviews of contractual arrangements may, in many instances prevent such breaches occurring and should include:
Above all, as stated by the ICO, “We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”
Ultimately, data destruction aims to prevent confidential information from entering the public domain. However, it can be leaked by many routes, the most prevalent (by volume) being that of end-of-life disposal.
The WEEE directive itself introduces one such route by the very virtue of a producer or manufacturer having to provide a “like for like” service whereby the end-of-life unit will be removed for disposal when a newer model is purchased.
Similarly, warranties leave the user at risk, as the distributor or manufacturer is inclined to remove the faulty computer when replacing the unit under warranty. However, the disposal of “bulk loads” of end-of-life computer hardware poses the greatest risk to a public or private entity.
The process of disposal is at risk from the point of decommissioning (leaving a PC in a public space or by a skip, storing end-of-life equipment in a public area) to final disposal (use of third parties with no prior relationship or history).It is therefore in the interests of the Data Controller to employ measures to reduce the risk. These may include:
About the Author: Richard Anthony Johnson
IT-Green is the registered trademark of Computer Displays (UK) Limited. Copyright 2013