IT asset disposal:
 What data controllers need to be considering

The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. The Act’s definition of processing covers almost anything that an organisation does with personal data throughout its lifecycle, from collection to disposal. Each element of processing must be carried out in accordance with the eight data protection principles. The Data Protection Act requires organisations to take appropriate technical and organisational measures to keep personal information secure. The IT asset disposal process can leave data vulnerable to compromise, especially in cases where an organisation does not know if data is stored on devices earmarked for disposal and no asset disposal process has been established.
Managing the asset disposal process can be challenging due to the increased use of devices with large digital storage capacity such as tablets, smartphones and printers. Additionally, more organisations are adopting ‘bring your own device’ policies which means data may be stored on employees privately owned IT equipment.  These challenges highlight the importance of carefully managing the asset disposal process to minimise the risk of compromise when the time comes to recycle or decommission old IT equipment.

To stay in control of the process, responsibility for IT asset disposal should be assigned to a member of staff with a suitable level of authority. That member of staff should ensure that the organisation: completes a full inventory of all equipment that has been marked for disposal; is clear about what will happen with devices when they are no longer needed; considers the security vulnerabilities associated with each method of disposal (recycling, destruction, donation etc.), and; if the organisation deletes data in-house, ensures that it is done adequately before recycling devices, so that data is not accessible to others after the device has left the organisation’s ownership.
The data processor's role
Data controllers who outsource the IT disposal and data deletion process to a specialist service provider will be using a ‘data processor’ under the DPA. A data processor should be chosen carefully as the data controller retains liability for the information. It is important to ensure that the data processor is capable of deleting data securely. A written contract should be in place between the data controller and the asset disposal company, describing the service to be supplied.

The data controller may be held responsible under the Act if the asset disposal company it uses loses or compromises the data stored on old devices during the disposal process. For example, the asset disposal company may fail to adequately wipe data or remove hard drives from desktop computers before reselling them. There are cases where this has resulted in sensitive data being accessed by the new owners of the equipment.
Secure deletion & disposal
To avoid this, a data controller should choose an asset disposal company that can demonstrate its ability to carry out deletion and recycling in a secure manner. If you use a third party, select an organisation that offers guarantees about their ability to adequately delete data before recycling equipment. Obtain information from the asset disposal company about any specific software or hardware they use when wiping or destroying drives and ensure that audit trails are in place so that the equipment and its contents can be accounted for throughout the disposal process. For your peace of mind, ask the asset disposal company for evidence that data and hard drives have been deleted and destroyed in the form of a certificate of destruction.
Further measures
You can take further measures by auditing the processor and requiring them to report any security breaches or other problems when they occur. Above all, you should be satisfied that you know who is doing what with your old IT equipment and the data contained on the devices. Certainly avoid letting organisations take your devices away without assessing their suitability for the job first. You should be able to demonstrate that you have completed a thorough risk assessment before engaging any third party to carry out IT asset disposal. This is particularly important if there is sensitive data contained on your devices.

Be aware that adopting new technology will result in the need to periodically re‑examine any contracts and processes used by disposal companies to ensure they continue to meet industry standards. The Information Commissioner’s Office has regulatory responsibility for the Data Protection Act and breaches caused by inadequate security measures which could lead to enforcement action. In cases of serious non-compliance, the ICO may issue a civil monetary penalty of up to £500,000 to organisations that fail to meet the requirements of the Act.

Looking to the future, proposals for an updated data protection framework released by the EU Commission suggest that legal responsibility and liability will be extended to include data processors. So, data processors may be subject to regulatory action if they, rather than the data controller, are found to be responsible for a data breach. It is a proposed development that all data processors should keep an eye on.

Please register to comment on this article