Most businesses tend to be well aware of their responsibilities for protecting sensitive data. The Data Protection Act 1998 (“DPA”) makes businesses responsible for preventing personal information they hold from being lost, stolen, or otherwise exposed beyond its intended purpose.
Principle 7 of the Act states:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
This makes clear the responsibility of businesses to do everything possible to protect information.
Responsibility doesn’t end at the network perimeter
While data information is in use, UK businesses are usually very good at protecting it. But when older IT hardware is retired, many make the mistake of failing to put the data stored on it beyond recovery. Every few months a story surfaces of sensitive personal information being found on second-hand hardware, proving that data deletion is not a regular part of corporate disposal provisions.
Before any old storage is dumped or resold, the data stored on it must be permanently deleted so that it cannot be recovered. This not only ensures your business complies with the DPA requirements, but also prevents valuable intellectual property from falling into the hands of competitors or hackers.
Check hardware deletion before disposal
In order to speed up the disposal process, your business may choose employ the services of a WEEE-certified recycling specialist. These companies will strip IT hardware down to its components, resell what they can, and ensure the remaining parts are recycled or disposed of responsibly.
But it is extremely important to note that even after the hardware has left your offices, your business retains responsibility for ensuring personal data is put beyond recovery. You should always check whether the receiver will erase data as part of the recycling service, and what techniques they use to do so. Any failure to remove data could see your business prosecuted by the Information Commissioner’s Office (“ICO”), the body set up to enforce the DPA.
Data destruction
There are two main ways to ensure data is put beyond recovery:
- use a secure file deletion tool to overwrite every sector of the storage device;
- physically destroy the drive.
Secure file deletion software tends to be relatively inexpensive, but you may need to set aside several hours at a time to process hardware before it can be disposed of. Otherwise you will need to remove storage devices from IT hardware before it is sent for recycling, destroying them carefully (strong magnetic fields are extremely effective).
Whichever method of data removal you choose, your business needs to put the necessary processes in place immediately to avoid potential problems with the ICO. You also need to test and verify that information really is put beyond recovery before disposal of any hardware.
For further help and advice about how to delete data securely, or on how to protect your data with extra measures such as drive encryption, please give our expert team at Broadband Cloud Solutions a call.
Leave a Reply