Latest Public Sector News

14.10.13

Avoiding data breach fines when disposing of old IT equipment

PSE talks to group manager for technology at the Information Commissioner’s Office (ICO), Simon Rice.

Local authorities and other public sector organisations have been warned to take the utmost care in disposing of IT assets, because old hard drives can still contain sensitive personal data. 

Speaking to PSE, the Information Commissioner’s Office’s (ICO’s) group manager for technology, Simon Rice, said: “There’s a huge amount of data stored on hard drives, whether that be back-up drives, or laptops, or desktop hard drives. It’s still a problem.” 

In 2012 and 2013, two NHS trusts faced large fines from the ICO for such data failures, after they failed to monitor the third-party contractors disposing of old hard drives, some of which ended up on eBay. 

On the recent monetary penalties – £325,000 for Brighton & Sussex University Hospitals NHS Trust last summer, and £200,000 for NHS Surrey in June 2013, reduced for early payment – Rice said: “In both cases the disposal was being handled by a third party, but with no monitoring or checking that the third party was doing what they’d been contracted to do, or what that third party had said they would do. Instead of disposing of those hard drives securely, they were ending up on auction websites or being sold on. The monitoring aspect wasn’t being kept up.” 

Rice said the risk and liability will “fundamentally remain with the data controller”, even if their IT systems or disposal are contracted out. He told us: “The data controller will have the ultimate responsibility of disposing of it securely. 

“That’s not to say they would always get a monetary penalty if one hard drive out of a million got through. But we’d want to ensure that the public sector organisation was taking enough steps to make sure the third party provider was doing enough. It’s not a case of just going online and searching for the cheapest equipment disposal: it’s about looking at it properly, with a sensitive procurement exercise and due diligence. ‘Does this company have a decent reputation?’ And it could involve doing some audits.” 

The ICO has produced guidance on safe disposal of IT assets, but it is not prescriptive or draconian: instead, it urges organisations to ensure someone takes responsibility for IT disposal and that there is a strategy in place. 

Even with the most sensitive data – on child protection, for example, or medical records – the key is making a decision based on what’s appropriate. 

Rice told us: “There are many ways of securing and deleting data. It just depends what’s most appropriate for those circumstances. Certainly, a physical destruction, or a shredded hard disc, is pretty much as guaranteed as you’re going to get. But secure-wiping can be appropriate as well.” 

He added: “It’s important to think about all the different ‘bits’ of IT within an organisation: not just desktops and laptops but also devices like fax machines and printers, which can also have some sort of memory in them. 

“As we move to mobile devices and bring-your-own-device working, that brings in a whole other dimension – especially if any employee wants to bring in their iPad, use that for 12 months, then wants to sell that on eBay to make a little money, for example. That can cause a difficult situation, because you can’t exactly pull out the hard drive from a tablet or mobile phone, and you don’t want to hit it with a hammer or destroy it. That would destroy its value. 

“Guidelines on that are still being formulated, we’re discussing it with people like CESG [the Government’s National Technical Authority for Information Assurance] to see what they’d recommend. They’d go through and test secure-wiping procedures. As a minimum, we suggest software wiping and using the factory reset function. But it’s crucial to think about what data is being put on these devices and whether it can be wiped at the end of life.” 

The ICO is happy to offer advice on these issues, Rice said. “We’re always available to answer questions via our helpline. Though some of those questions might be easily answered by reviewing the guidance, and we can’t go to every organisation and rubber-stamp their procedures – we just don’t have the time and the manpower – but there are a huge number of specialist disposal organisations out there that are doing a good job.”

Comments

There are no comments. Why not be the first?

Add your comment

 

public sector executive tv

more videos >

last word

Prevention: Investing for the future

Prevention: Investing for the future

Rob Whiteman, CEO at the Chartered Institute of Public Finance (CIPFA), discusses the benefits of long-term preventative investment. Rising demand, reducing resource – this has been the r more > more last word articles >

public sector focus

View all News

comment

Peter Kyle MP: It’s time to say thank you this Public Service Day

21/06/2019Peter Kyle MP: It’s time to say thank you this Public Service Day

Taking time to say thank you is one of the hidden pillars of a society. Bei... more >
How community-led initiatives can help save the housing shortage

19/06/2019How community-led initiatives can help save the housing shortage

Tom Chance, director at the National Community Land Trust Network, argues t... more >

interviews

Artificial intelligence: the devil is in the data

17/12/2018Artificial intelligence: the devil is in the data

It’s no secret that the public sector and its service providers need ... more >