This page contains a Flash digital edition of a book.
IT AND DATA


Avoiding data breach fi nes when disposing of old IT equipment


PSE talks to group manager for technology at the Information Commissioner’s Offi ce (ICO), Simon Rice. L


ocal authorities and other public sector organisations have been warned to take the utmost care in disposing of IT assets, because old hard drives can still contain sensitive personal data.


Speaking to PSE, the Information Commissioner’s Offi ce’s (ICO’s) group manager for technology, Simon Rice, said: “There’s a huge amount of data stored on hard drives, whether that be back-up drives, or laptops, or desktop hard drives. It’s still a problem.”


In 2012 and 2013, two NHS trusts faced large fi nes from the for such data failures, after they failed to monitor the third-party contractors disposing of old hard drives, some of which ended up on eBay.


On the recent monetary penalties – £325,000 for Brighton & Sussex University Hospitals NHS Trust last summer, and £200,000 for NHS Surrey in June 2013, reduced for early payment – Rice said: “In both cases the disposal was being handled by a third party, but with no monitoring or checking that the third party was doing what they’d been contracted to do, or what that third party had said they would do. Instead of disposing of those hard drives securely, they were ending up on auction websites or being sold on. The monitoring aspect wasn’t being kept up.”


Rice said the risk and liability will “fundamentally remain


with the data


controller”, even if their IT systems or disposal are contracted out. He told us: “The data controller will have the ultimate responsibility


42 | public sector executive Sep/Oct 13 of disposing of it securely.


“That’s not to say they would always get a monetary penalty if one hard drive out of a million got through. But we’d want to ensure that the public sector organisation was taking enough steps to make sure the third party provider was doing enough. It’s not a case of just going online and searching for the cheapest equipment disposal: it’s about looking at it properly, with a sensitive procurement exercise and due diligence. ‘Does this company have a decent reputation?’ And it could involve doing some audits.”


The ICO has produced guidance on safe disposal of IT assets, but it is not prescriptive or draconian: instead, it urges organisations to ensure someone takes responsibility for IT disposal and that there is a strategy in place.


Even with the most sensitive data – on child protection, for example, or medical records – the key is making a decision based on what’s appropriate.


Rice told us: “There are many ways of securing and deleting data. It just depends what’s most appropriate for those circumstances. Certainly, a physical destruction, or a shredded hard disc, is pretty much as guaranteed as you’re going to get. But secure-wiping can be appropriate as well.”


He added: “It’s important to think about all the different ‘bits’ of IT within an organisation: not just desktops and laptops but also devices like fax machines and printers, which can also have


some sort of memory in them.


“As we move to mobile devices and bring-your- own-device working, that brings in a whole other dimension – especially if any employee wants to bring in their iPad, use that for 12 months, then wants to sell that on eBay to make a little money, for example. That can cause a diffi cult situation, because you can’t exactly pull out the hard drive from a tablet or mobile phone, and you don’t want to hit it with a hammer or destroy it. That would destroy its value.


“Guidelines on that are still being formulated, we’re discussing it with people like CESG [the Government’s National Technical Authority for Information Assurance] to see what they’d recommend. They’d go through and test secure- wiping procedures. As a minimum, we suggest software wiping and using the factory reset function. But it’s crucial to think about what data is being put on these devices and whether it can be wiped at the end of life.”


The ICO is happy to offer advice on these issues, Rice said. “We’re always available to answer questions via our helpline. Though some of those questions might be easily answered by reviewing the guidance, and we can’t go to every organisation and rubber-stamp their procedures – we just don’t have the time and the manpower – but there are a huge number of specialist disposal organisations out there that are doing a good job.”


FOR MORE INFORMATION www.tinyurl.com/ICO-asset-disposal


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80  |  Page 81  |  Page 82  |  Page 83  |  Page 84