Photograph Courtesy of Mark Phelan
Data Security: The Importance of Data Destruction
In an age when even seemingly innocuous recycling bins can be equipped to capture information from smartphones, the need to protect sensitive data has never been so immediate.
Many companies continue to underestimate the importance of effective electrical waste management procedures, however, and risk breaching data protection legislation or even financial ruin as a result of failing to adopt secure data destruction policies.
During the operating lifetime of a computer or mobile device a great deal of time, effort and money is spent on ensuring that data is stored and processed securely. Yet, too often, very little (if any) attention is given to waste electrical and electronic equipment (WEEE) disposal.
Even the most basic of personal data has intrinsic value for companies and potential fraudsters. The former will typically harvest data en masse to use in market analysis and advertising; and criminals will seek to exploit it for illegal purposes.
There are also legal implications relating to personal data and electronic storage media. In the United Kingdom the relevant statutes are the Data Protection Act of 1998 and the Environment Act of 1995 which states: “Your legal Duty of Care extends to when your equipment is reused, recycled or disposed of.” In fact, the disposal of computer equipment alone is covered by eight, separate statutes and statutory provisions.
At the continental level, the European Data Protection Supervisor (EDPS) has recognised WEEE as the fastest growing waste stream within the European Union and established a new 2016 target for reducing WEEE-generated waste by 85 per cent. It is therefore inevitable that companies will be required to engage more actively in electrical product recycling.
Hardware that may contain sensitive data is not limited to computer storage drives or mobile devices. In August, the United States Department of Health and Human Services (HHS) announced it had agreed a US $1,215,780 (£640,000) settlement with Affinity Health Plan after the company disposed of leased photocopiers without destroying medical information relating to an estimated 350,000 individuals that was stored on their hard drives in breach of electronic protected health information (ePHI) regulations. The company was required additionally to amend its operating procedures to include adequate data safeguards and risk assessments.
The WEEE Disposal & Recycling Process
A data controller is defined as a "person" or "group of persons" (which extends the definitional scope to a company) that holds and is responsible for personal data. Another term, data processor, is used to describe sub-contracted third party providers that are licensed to offer legislation-compliant data destruction services.
The process that electronic storage media goes through when it is sent by a data controller (Company X) for disposal by a data processor (Collector) is charted below.
Figure 1 Historic data disposal practices have relied on multiple contractors within the process chain which increases the risk of data being intercepted before the hardware it is stored on reaches an AATF (Approved Authorised Treatment Facility) and, by extension, reduced traceability and accountability in the event of data being leaked.
Figure 2 (right) depicts a more efficient and reliable process chain.
In the ideal scenario a certified company would be contracted to dispose of data on-site. However, this is rarely an operationally viable option and is overkill for smaller companies which can easily outsource the task to qualified intermediaries instead.
Intermediaries will typically work with certified contractors to deliver best-in-class data disposal services and provide full traceability in the form of statements of method and detailed Certificates of Destruction.
They will also help clients choose the most appropriate disposal methods and industry standards which may include one (or more) of the following:
- Binary wiping
- UK CESG
- US DOD
- CANADIAN OPS
- Disassembly of equipment for mechanical shredding
A full audit trail involving certified data processors and an AATF site facilitates compliance with current and proposed WEEE disposal and recycling requirements.
Additional information is available at www.collectandrecycle.com.