Data destruction: avoid the price of ignorance

Fines can run into six figures for data law breaches Fines can run into six figures for data law breaches

Small and medium sized enterprises ignore the storage and disposal of confidential information at their peril as the Government’s regulator steps up its scrutiny of private sector breaches in data laws.

Julie Pickersgill

Julie Pickersgill

Julie Pickersgill, operations director of Harrogate based computer hardware and data destruction specialist Advanced Digital Dynamics (ADD) Ltd says that small and medium sized enterprises often fail to understand the impact of failing to have secure systems in place to dispose of private data. She warns that companies falling foul of the law risk their reputation - and possibly their business - as fines can run into six figures for data law breaches.

Data destruction and IT asset disposal are heavily regulated and complex areas but ignorance is not bliss. No matter who deals with the operational aspect of data protection and destruction, the business owner is ultimately accountable.

This is even the case where an external company has been hired to destroy data. One high profile case saw a Scottish council fined £250,000 after sensitive documents were found in supermarket waste bins. The Scottish ICO said the local authority had ‘taken their eye off the ball’ when outsourcing and not carried out sufficient checks on the provider.

So what are the necessary steps that businesses can take to ensure that they are fully compliant?

Onsite and offsite destruction

Brush up on the difference between onsite and offsite destruction. Offsite methods increase the risk of losing data before it can be destroyed, whereas onsite methods enable you to stay close to the process and minimise risk.

Beware of Free recycling services

Reputable service providers will recycle redundant equipment or sell it on for re-use, and any value realised can be offset against the costs of data destruction and disposal. With an unconditionally free service it is difficult to prove your duty care and due diligence.

Who's in charge?

Put someone senior in overall charge of the process, who can bring together relevant departments and allocate responsibilities, and who understands the consequences of poor security procedures.

Staff Training

Run regular staff training for key people on information security procedures. If necessary bring in specialists to advise.

Data Classification

Be mindful of data classifications. Aggregation and accumulation of data often occurs at the disposal stage where assets of all types are merged together, and it is then impossible to distinguish between lower and higher risk types of data.

Itemise & Identify

Ensure you accurately itemise and identify all equipment marked for removal and its data bearing status; this should be agreed at the point of sign-over and transfer. Maintain detailed records so that, if required, you can provide full end to end traceability.

Redundant Equipment

Be vigilant about where any redundant equipment is stored before proper disposal. Stacking PCs in a corridor potentially leaves your accountability in tatters so ensure that access is secure and controlled.

Use Specialists

Don’t be tempted to accelerate the process by removing hard disks before the specialists take over, as these must be tied up with serial numbers on the originating asset to fulfil traceability requirements.

Third Party Credentials

Be extremely diligent when checking third party credentials and ensure that you are confident about their systems and their personnel. Remember you are still liable for their actions.

Service Agreements

Have robust service agreements in place and carry out regular audits; this will demonstrate that you have carried out your due diligence.

ADD based in Harrogate, Yorkshire, has been a successful worldwide distributor of computer hardware for 16 years