Data Destruction - Passing the Buck Guest blog from Malcolm Charnock Icex

Data Protection Understanding your responsibilities as a data owner includes having proper policy and processes in place for safe removal and destruction of information that should no longer be stored. It should form part of an organisation's overall Information Security Policy with specific reference to the Data Protection Act (1998) Through the power of Social Media we were delighted to meet Malcolm Charnock from Icex and even more delighted that he agreed to do a guest blog on Data Destruction for us. Data Destruction - Passing The Buck by Malcolm Charnock

One of the things that keeps me enthused about my job is every client has different requirements when it comes to ensuring all data is eradicated. Different requirements? Well maybe the truth is every client has different levels of understanding (or apathy) of their obligation and options when it comes to securely eradicating data. I have spoken to organisations who insist on 2mm granulation of hard drives, after all this is the standard the MOD requires so their business should insist on this too??? Actually you have to take your hat off to an organisation who takes data destruction this seriously; until you find out this same organisation use a courier to send the hard drives to a data destruction specialist who they have no real knowledge of! The fact is every organisation has the same responsibility and in most cases the process that is most suitable is the same. OK, the local shop losing data will clearly not have the

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

same impact as the MOD but the thought process behind any Information Security Policy should be similar. ICO Monetary Penalties, contrary to popular opinion, are not levied purely as a result of a breach occurring. Just as important are the organisations processes and policies. Have all reasonable precautions been taken to ensure the breach could not occur? Was due diligence carried out to check the suitability of your service provider, contractor or vendor? If the answer is yes and an unprecedented occurrence caused the breach I would personally not expect the ICO to take action other than to ensure you were not vulnerable to this type of event again. SECURELY MANAGING DECOMMISSIONING AND DISPOSAL OF REDUNDANT IT ASSETS There are an estimated 700 companies offering IT recycling as part of their capabilities so you would feel confident that in a competitive, open market you would reap the benefits of price checking and negotiating a free collection. The problem is that this is a largely unregulated industry so how do you choose a credible partner to trust with eradicating your data? There are a wide range of accreditations cited on most ITADs websites and literature, many of these I have never heard of while others require no audit to achieve. In other cases the accreditation is listed although the ITAD will not actually have achieved the standard. The buck stops with the data owner so it is important to do a little investigating before selecting the most suitable partner.
Is your Data Destruction contractor approved? By whom? Have you audited

them?
Do they use third party contractors? Are they approved? By whom? Have you

audited them?
Are their processes and policies secure and approved? By whom? Is there a contingency in place? How are data holding items transported? By whom? Are they approved? Have

you audited them? If you can answer all of the above questions you really should have little to fear from the ICO, but you would also be in the minority. If in doubt, speak to ADISA (Asset Disposal and Data Security Alliance) or check their website to see if your preferred IT Recycling partner meets with this DIPCOG recognised industry standard.

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

The data, regardless of the terms of any contract, remains the responsibility of the data owner and does not pass to an IT recycler at any stage of the process. Yes, immeasurable damage would be done to the reputation of any ITAD who failed to 100% eradicate data presumably resulting in the death of the organisation, but the ICO will look to the Data Owner and levy penalties and broadcast its findings regarding the failure of the companys Data Security policy which led to the breach. - Malcolm Charnock Images courtesy of Microsoft Clipart and istock

www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
Our blogs www.adventim.wordpress.com

www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com www.adventimschoolsecurity.wordpress.com

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM