ITProPortal met with Martin Ruston, Group Compliant Manager at Stone Group to talk about some of the challenges related to data protection when dealing with the safe and legal disposal of IT assets.
Why is data protection an increasingly important area to address?
The increasing focus on data protection legislation and its enforcement are factors which those responsible for data should be placing high importance on. The associated commercial costs of heavy legal penalties for allowing a breach in data protection, which compromises individuals or clients confidentiality, could potentially ruin organisations of all sizes and damage its reputation in the long term.
Why is the area of IT asset disposal often overlooked in respect to data protection?
Awareness is the main issue. Redundant IT equipment is usually treated as another waste stream to be disposed of, in the absence of robust and communicated policies which clearly define specific requirements for data bearing assets. Too often the task of disposal is delegated to staff who have no knowledge of data protection, organisational policy requirements or the classification of data held on the equipment.
Who holds responsibility for the data held on assets sent for disposal?
Ultimately and legally, the responsibility rests with the organisation from whom the assets and data originated, the data controller usually being the individual to hold this responsibility. Whilst the responsibility for the security of the data is transferred to the disposal service provider on physical receipt, liability will still rest with the data controller if due diligence has not been applied in selecting that provider and can be demonstrated.
Are there any specific regulations that need to be adhered to when it comes to IT asset disposal?
The Data Protection Act 1998 is the principle piece of data protection legislation which needs to be considered in respect to asset disposal; however data controllers should also have awareness of Waste Electrical and Electronic Equipment (WEEE) regulations which require traceable disposal at Environmental Agency permitted treatment facilities; which should also help ensure responsible and ethical disposal methods; further reducing risks posed to data bearing equipment.
What happens to the assets sent for disposal?
All assets received should be subjected to a process that is aimed at maximising the reuse potential in the secondary and charitable markets. Those assets, which are not wholly reusable, should be subjected to component and/or materials recovery processes, in order to recycle constituent materials. All assets which are to be reused will have all data wiped, removed or destroyed, client identification removed, then tested/graded and cleaned. A zero landfill and a no-asset-export policy for disposal or materials recovery is usually highly recommended.
Should data held on IT assets be wiped or physically destroyed?
This is primarily a decision for the data controller. Both are effective in ensuring secure disposal of data held on assets providing the techniques employed are to acceptable standards. Destruction such as shredding, should ensure that the data bearing media is fragmented sufficiently to prevent it being recoverable, i.e. small pieces/strands and ideally mixed with other shredded materials. Data wiping software should have been tested and approved to recognised national technical standards e.g. CESG. It's advisable to look for a provider that can offer both capabilities with a preference to data wiping to increase reuse opportunities in support of sustainability policies.
How reliable are data wiping techniques?
Data wiping which is performed by software which has been tested and approved to a national technical standard such as CESG, will provide secure wiping of data. There are many products available online which do not offer the same assurance and are unproven. As a data controller, you should also ensure that the proposed data wiping software is suitable for the type of media you require wiping. The software employed by Stone is Blancco, which has been approved to global standards.
What measures can be taken to reduce the risks associated with IT asset disposal?
Organisations need to ensure they have in place a clear policy for staff on how their IT equipment is to be treated for disposal and ensure they understand it. The policy should take into consideration factors such as individual asset identification, data classifications, prescribed data wiping/destruction methods by data classification and media type, disposal service provider approval process and standards, defined responsibilities for data assets and disposal, and finally vetting pre-scollection of the equipment for data which is not for disposal and the required records.
What records should be maintained in IT asset disposal process?
A robust process should ensure records are maintained of the individual assets released for disposal including receipt/processing records from disposal provider and certificates confirming data wiping/destruction.
How can companies secure IT asset disposal and what is your guidance?
Those looking for IT disposal services should ensure their chosen provider can demonstrate compliance with recognised security standards such as ADISA, ISO27001 and the data wiping/destruction methods employed are suitable for the classification of data and media type.