At EOL we are continually surprised to find that many organisations are unaware of their specific responsibilities outlined within Principle 7 of the Data Protection Act.
So – in brief, what does the Data Protection Act say about information security and how does this affect your choice of IT Asset Disposal Partner?
The Data Protection Act states that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The ICO (Information Commissioners Office) further states that:
“This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.”
How is this relevant to computer security when it comes to the safe and secure disposal of retired IT Assets and what do the ICO recommend when choosing an ITAD to partner with?
The ICO states the following:
“You should consider the following guiding principles when deciding the more technical side of information security.
- Your computer security needs to be appropriate to the size and use of your organisation’s systems.
- As noted above, you should take into account technological developments, but you are also entitled to consider costs when deciding what security measures to take.
- Your security measures must be appropriate to your business practices. For example, if you have staff who work from home, you should put measures in place to ensure that this does not compromise security.
- The measures you take must be appropriate to the nature of the personal data you hold and to the harm that could result from a security breach.”
So – what does the ICO recommend when it comes to choosing an IT Asset Disposal company to partner with?
“If you use a specialist asset disposal company to recycle your old electronic equipment it will be defined as a ‘data processor’ under the Data Protection Act. As the asset disposal company will be acting on your behalf, you will be responsible under the Data Protection Act for what the provider does with any personal data contained on the devices that it is recycling. If the provider does not successfully delete personal data that is subsequently compromised you may be responsible for the breach.”
The ICO recommends that when choosing an IT asset disposal company, you ensure they provide sufficient guarantees about their security measures stating that “You should be satisfied that your service provider will treat the personal data with the same level of protection, or better, as you.”
“Look for independent approval of products used in the deletion process such as NCSC (previously CESG), the UK government’s national technical authority for information assurance. If possible, conduct a client site assessment and audit of your chosen disposal company”.
EOL IT Services provide a range of Data Destruction Services to guarantee 100% Data Information Security for businesses, local authorities, educational facilities and healthcare organisations to CESG
When undertaking data destruction there are four procedures to be considered and in some cases, a combination of these methods could achieve the results you are looking for – satisfying your responsibilities under Principle 7.
EOL IT Services are able to carry out any of these methods either on-site at your own premises or at our own secure facility:
- Data Wiping: EOL utilise an HMG Infosec Level 5 Enhanced NCSC approved (previously CESG) wipe of the hard drive and this is carried out using Blancco certified software via a LAN connection. Every data wipe produces a Certificate of Erasure with full details of the items wiped.
- Data Degaussing: EOL also use data degaussing to erase data, audio and video from magnetic storage media, such as hard drives. Degaussing can achieve the same result as wiping, although the degaussing will render the hard drive unusable in the future.
- Data Shredding: EOL provide a data shredding service which ensures the total destruction of the media including hard drives. EOL can also perform this service at your own site in line with a NON RELEASE OF DATA policy.
- Data Granulator: EOL utilise a granulator at our facility suitable for the destruction of magnetic media paper and electronic media. EOL’s granulators are CPNI approved.
For more information on how we can assist you with ensuring the security of your data, please contact us on 0845 600 4696.