All data controllers must take data disposal seriously
Julie Pickersgill runs over the stringent requirements for data disposal overseen by the ICO
The Information Commissioner's Office (ICO) is set to review the data destruction directive over the next two years. Old or redundant IT is often viewed as rubbish, and failure to dispose of it properly leaves many organisations exposed to the risk of asset or data loss – each of which also carries a potential fine of up to £500,000.
In my experience less than 10 per cent of organisations are compliant with the current regulations regarding IT equipment disposal. I believe this is down to a lack of information and awareness of the associated risks. Most organisations are simply not aware of the risks associated with transporting and storing data prior to destruction, nor are they familiar with the methods required to certify data has been erased or destroyed.
Data controllers – such as cloud services providers or other IT specialists – will be acutely aware that under the Data Protection Act 1998 organisations have a duty to ensure that confidential data collected and held by them is not released into the public domain in an unauthorised or accidental manner. Also, under the 2007 Waste Electronic and Electrical Equipment (WEEE) Directive there is an obligation to process redundant IT equipment in a particular way.
Assurance and traceability is critical where data destruction is concerned. The data controller is accountable for the actions of any third party which processes the data in question. This includes the destruction of data.
If data is lost or leaked through the actions of a third party, the organisation remains responsible and could be fined for an amount equivalent to up to two per cent of its annual turnover. You must ensure that data is destroyed according to the applicable standards.
Organisations also have to be able to prove their data was destroyed securely and using approved methods. In the event of a data breach, organisations will be required to show they can trace all data assets and provide documentation, including a valid data destruction certificate.
The regulations have tightened over recent years and they will probably continue to do so. As organisations become more reliant on data, potential fines have increased along with the regulator's powers.
Over the next few years the ICO will obtain further powers to audit organisational processes and mandate even more reporting. Data controllers will come under increased scrutiny. In addition, there may be regulations imposed directly on third-party contractors – although this will not remove any liability from the data controller.
All organisations that collect data which can identify a specific person are vulnerable here, but especially in larger organisations where the volume of data and number of data assets is larger, making traceability and accountability much more of a challenge.
There has been a great deal of scrutiny of data practices in the public sector; we are all aware of news stories about councils fined huge amounts of money for failing to dispose of personal data properly, and this has led to the tightening of existing laws. But the focus is now shifting to the private sector.
I would strongly advise resellers to review their own and customers' IT disposal processes. Can you prove the data has been destroyed against each and every asset prior to disposal or resale? Are there records that show when and where exactly each asset transferred ownership? In the event of an incident or audit, this information must be provided to regulators.
Julie Pickersgill is operations director at Advanced Digital Dynamics