In an age where even certain recycling bins can capture information from your smartphone as you walk by, the need to keep sensitive data discrete has never been so important, but are companies aware of what happens to this information after hardware has been used?
Many firms fail to comprehend is that it is their responsibility to fully understand their electrical waste process, and implement an appropriate recycling procedure for the secure destruction of data i.e. within an old hard drive. During the life of a computer, a great deal of time, effort and money is spent ensuring that data is stored and processed securely, but too little attention is given to data when the computer becomes redundant. Certain waste management companies such as Collect and Recycle (http://www.collectandrecycle.com/
The intrinsic value of even the most basic personal data is pursued by companies and sometimes fraudsters. The former wish utilise the enormous benefits of mass personal data for market analysis and advertising, whereby the latter seek to exploit it for illegal means. There are also implications of how data in electrical equipment is handled in various lines of legislation, more notably the Data Protection Act (1998) and within the Environment Act (1995) which states “Your legal Duty of Care extends to when your equipment is reused, recycled or disposed of.” In fact, the disposal of computer equipment is covered by 8 separate regulations.
Of these regulations, amendments are due to be made to the recast WEEE directive, its announcement due in September 2013. The EDPS (European Data Protection Supervisor) has recognised WEEE as the fastest growing waste stream in the EU. The target is set to 85% reduction in disposal of WEEE by 2016. Because of these examples of recent legislative focus on electrical goods, companies will undoubtedly become more engaged in electrical product recycling, heightening further the need for a secure way of ridding sensitive data where necessary.
Hardware that may contain sensitive data is not limited to hard drives themselves. A large scale court case in the US found a company named Affinity guilty of distributing photocopiers that contained patient health data leading to a settlement costing the not-for-profit firm in excess of a million dollars (£640,000). This case study highlights the importance of a visible data destruction process and the selection of data processors for the job at hand.
A data controller is defined as a person or group of persons (company) that holds and are responsible for personal data, a data processor can be the same as the controller but in this instance is a sub-contracted third party company who are licensed to offer the compliant destruction of data.
Under normal circumstances there are multiple individuals and locations involved in the process chain that data storage equipment goes through from a data collector (Company X) via a data processor (Collector) to eventually being destroyed. This traditional process bring two major problems.
Firstly, risk is increased whereby something might happen to the data along its path to the AATF (Approved Authorised Treatment Facility) due to the unnecessary number of data processors involved.
Secondly, the visibility of exactly what has happened to the data storage devices is reduced as data controllers have less grip not only over the elements taking place but the persons involved.
Figure 1 - Efficient Data Collection - See picture
Figure 1 shows how these problems can be verified, and the process chain reduced.
Ideally a certified company can be used to dispose of the data on site, however this is seldom viable as an option and is unnecessary for smaller companies. Compliant waste management firms can act as the intermediary in this process, delivering a service that provides an authorised company to dispose of data to varying standards, that are dependent on the customer’s needs.
These providers can offer full traceability in the form of method statements and detailed certification of destruction. They should also be able to provide advice on which method of disposal is the most suitable and cost-effective for the customer. A more legitimate data destruction process is more financially beneficial for companies and ensures they are compliant to the most recent industry standards and to provide peace-of-mind about the data they stored.
Combining a full audit trail involving certified data processors and an AATF site means that WEEE equipment can easily meet the requirements that will become more important, certainly in the next 3 years if Europe is to meet its target equating to 85% collection and recycling of all WEEE equipment (measured in weight) by 2016.