Data Destruction – Passing the Buck – Guest blog from Malcolm Charnock – Icex

data protection act 1998 Advent IM  consultantsData Protection

Understanding your responsibilities as a data owner includes having proper policy and processes in place for safe removal and destruction of information that should no longer be stored. Its should form part of an organisation’s overall Information Security Policy with specific reference to the Data Protection Act (1998)

Through the power of Social Media we were delighted to meet Malcolm Charnock from Icex and even more delighted that he agreed to do a guest blog on Data Destruction for us. 

Data Destruction – Passing The Buck by Malcolm Charnock

MP900341374

One of the things that keeps me enthused about my job is every client has different requirements when it comes to ensuring all data is eradicated. “Different requirements”? Well maybe the truth is every client has different levels of understanding (or apathy) of their obligation and options when it comes to securely eradicating data.

I have spoken to organisations who insist on 2mm granulation of hard drives, after all this is the standard the MOD requires so their business should insist on this too??? Actually you have to take your hat off to an organisation who takes data destruction this seriously; until you find out this same organisation use a courier to send the hard drives to a data destruction “specialist” who they have no real knowledge of!

The fact is every organisation has the same responsibility and in most cases the process that is most suitable is the same. OK, the local shop losing data will clearly not have the same impact as the MOD but the thought process behind any Information Security Policy should be similar.

ICO Monetary Penalties, contrary to popular opinion, are not levied purely as a result of a breach occurring. Just as important are the organisation’s processes and policies. Have all reasonable precautions been taken to ensure the breach could not occur? Was due diligence carried out to check the suitability of your service provider, contractor or vendor? If the answer is yes and an unprecedented occurrence caused the breach I would personally not expect the ICO to take action other than to ensure you were not vulnerable to this type of event again.

SECURELY MANAGING DECOMMISSIONING AND DISPOSAL OF REDUNDANT IT ASSETS

There are an estimated 700 companies offering IT recycling as part of their capabilities so you would feel confident that in a competitive, open market you would reap the benefits of price checking and negotiating a free collection. The problem is that this is a largely unregulated industry so how do you choose a credible partner to trust with eradicating your data? There are a wide range of “accreditations” cited on most ITADs’ websites and literature, many of these I have never heard of while others require no audit to achieve. In other cases the accreditation is listed although the ITAD will not actually have achieved the standard. The buck stops with the data owner so it is important to do a little investigating before selecting the most suitable partner.

Advent IM Information Security Audit

  • Is your Data Destruction contractor approved? By whom? Have you audited them?
  • Do they use third party contractors? Are they approved? By whom? Have you audited them?
  • Are their processes and policies secure and approved? By whom?
  • Is there a contingency in place?
  • How are data holding items transported? By whom? Are they approved? Have you audited them?

If you can answer all of the above questions you really should have little to fear from the ICO, but you would also be in the minority. If in doubt, speak to ADISA (Asset Disposal and Data Security Alliance) or check their website to see if your preferred IT Recycling partner meets with this DIPCOG recognised industry standard.

The data, regardless of the terms of any contract, remains the responsibility of the data owner and does not pass to an IT recycler at any stage of the process. Yes, immeasurable damage would be done to the reputation of any ITAD who failed to 100% eradicate data presumably resulting in the death of the organisation, but the ICO will look to the Data Owner and levy penalties and broadcast its findings regarding the failure of the company’s Data Security policy which led to the breach. – Malcolm Charnock

Images courtesy of Microsoft Clipart and istock

ICEX-jpg-1

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s