When disposing of end of life equipment, one has to consider the data security implications.
With data disposal, there are a number of factors to consider, namely;
What is the data? What are the implications of a breach? What form is it in? How much is there? Where is it kept? Do you want on-site disposal?
Then there are the methods to ensure that the data is securely and permanently destroyed.
For each of these methods there are different methods, standards and processes, and numerous reasons for determining which method to use.
What is absolutely essential is that you choose a certified hard drive destruction company who can demonstrate experience, accreditations and uses the right equipment.
The Information Commissioners Office now polices the Data Protection Act much more vigorously than it has in the past and has handed out the highest fine for a data breach. This was action against Brighton and Sussex NHS and they was fined £325,000.
There are key requirements you must consider when choosing an IT asset disposal partner. The ICO states you must take reasonable steps to ensure no data breaches but sometimes these occur and something goes wrong. If the worst happens you need to be in a position to defend your position. The following are points which must be to be considered:
- The data destruction process must be agreed between both parties – this could be overwriting the HDDs or physical destruction. Data erasure software must be independently verified as being effective, of course. This would involve CESG approval in the UK.
- Physical destruction is covered in various Government Policies but essentially the particle are shredded to a certain width. A contract or written agreement must be agreed between the two parties. This defines the obligations of both parties.
- Should your IT Disposal Company fail to do what they have agreed to you can demonstrate and prove the criteria you’ve specified to ensure the security of the data destruction process.
- The easiest way to ensure no data breaches is to do On Site Destruction.
Lastly, you must demonstrate that you have completed ‘Due Diligence’ and the ICO specify an audit of the IT Asset Disposal Company’s facility.
The importance of choosing the correct partner that is a certified is paramount, it gives you the peace of mind that there can be no data breaches, the equipment is disposed of safely, securely and ethically and lastly it gives an auditable trail that satisfies the ICO and the WEEE Directive.