14.10.13
Avoiding data breach fines when disposing of old IT equipment
PSE talks to group manager for technology at the Information Commissioner’s Office (ICO), Simon Rice.
Local authorities and other public sector organisations have been warned to take the utmost care in disposing of IT assets, because old hard drives can still contain sensitive personal data.
Speaking to PSE, the Information Commissioner’s Office’s (ICO’s) group manager for technology, Simon Rice, said: “There’s a huge amount of data stored on hard drives, whether that be back-up drives, or laptops, or desktop hard drives. It’s still a problem.”
In 2012 and 2013, two NHS trusts faced large fines from the ICO for such data failures, after they failed to monitor the third-party contractors disposing of old hard drives, some of which ended up on eBay.
On the recent monetary penalties – £325,000 for Brighton & Sussex University Hospitals NHS Trust last summer, and £200,000 for NHS Surrey in June 2013, reduced for early payment – Rice said: “In both cases the disposal was being handled by a third party, but with no monitoring or checking that the third party was doing what they’d been contracted to do, or what that third party had said they would do. Instead of disposing of those hard drives securely, they were ending up on auction websites or being sold on. The monitoring aspect wasn’t being kept up.”
Rice said the risk and liability will “fundamentally remain with the data controller”, even if their IT systems or disposal are contracted out. He told us: “The data controller will have the ultimate responsibility of disposing of it securely.
“That’s not to say they would always get a monetary penalty if one hard drive out of a million got through. But we’d want to ensure that the public sector organisation was taking enough steps to make sure the third party provider was doing enough. It’s not a case of just going online and searching for the cheapest equipment disposal: it’s about looking at it properly, with a sensitive procurement exercise and due diligence. ‘Does this company have a decent reputation?’ And it could involve doing some audits.”
The ICO has produced guidance on safe disposal of IT assets, but it is not prescriptive or draconian: instead, it urges organisations to ensure someone takes responsibility for IT disposal and that there is a strategy in place.
Even with the most sensitive data – on child protection, for example, or medical records – the key is making a decision based on what’s appropriate.
Rice told us: “There are many ways of securing and deleting data. It just depends what’s most appropriate for those circumstances. Certainly, a physical destruction, or a shredded hard disc, is pretty much as guaranteed as you’re going to get. But secure-wiping can be appropriate as well.”
He added: “It’s important to think about all the different ‘bits’ of IT within an organisation: not just desktops and laptops but also devices like fax machines and printers, which can also have some sort of memory in them.
“As we move to mobile devices and bring-your-own-device working, that brings in a whole other dimension – especially if any employee wants to bring in their iPad, use that for 12 months, then wants to sell that on eBay to make a little money, for example. That can cause a difficult situation, because you can’t exactly pull out the hard drive from a tablet or mobile phone, and you don’t want to hit it with a hammer or destroy it. That would destroy its value.
“Guidelines on that are still being formulated, we’re discussing it with people like CESG [the Government’s National Technical Authority for Information Assurance] to see what they’d recommend. They’d go through and test secure-wiping procedures. As a minimum, we suggest software wiping and using the factory reset function. But it’s crucial to think about what data is being put on these devices and whether it can be wiped at the end of life.”
The ICO is happy to offer advice on these issues, Rice said. “We’re always available to answer questions via our helpline. Though some of those questions might be easily answered by reviewing the guidance, and we can’t go to every organisation and rubber-stamp their procedures – we just don’t have the time and the manpower – but there are a huge number of specialist disposal organisations out there that are doing a good job.”