Getting Rid Of Your IT Equipment?

In response to data breaches arising from IT equipment being recycled or re-sold which contains personal data, the ICO has issued 'good-practice' guidance.  So, if you're thinking of getting rid of IT equipment(including phones, tablets, desktops, laptops, hard drives, servers, USB devices, back-up storage media, faxes and printers with the ability to store data), here's what you need to know...

The Background

The most high-profile case on this issue relates to the disposal of hard-drives by a contractor engaged by Brighton and Sussex University Hospitals NHS Trust - the ICO issued a fine of £325k after a number of unscrubbed hard drives containing sensitive patient data were found for sale on eBay.

The ICO has also commissioned a survey which has found that 1 in 10 second hand hard drives contain personal data and that 65% of UK adults make their old phone/computer available to another user once they've finished with it - increasing the risk that devices may be passed on which still contain personal data.

Practical Steps You Should Take

The ICO's guidance recommends that you:

  • Ensure that a member of your staff with a suitable level of authority has responsibility for IT asset disposal (preferably a director or an employee with a direct reporting line to a director).

  • Ensure that your IT security policy expressly includes your policy on disposal of IT assets and deletion of personal data, that your staff are made aware of the policy and are adequately trained (particularly those staff who are most likely to be involved in the process of IT asset disposal).

  • Ensure that your policy considers all scenarios in which IT assets may leave your organisation including destruction of equipment which is no longer useable, recycling/resale of usable equipment and the return of leased equipment (& business sales may also present similar issues).

  • Ensure that you have a fully documented inventory of all IT assets that you intend to dispose of and maintain a record of all IT assets which are transferred to a third party.

  • Consider the security vulnerability assocated with each method of disposal and ensure you have appropriate technical and physical security measures in place (e.g. recycling/reselling IT assets may have a greater risk profile than destruction, albeit both options will have heightened risks where you are relying on a third party to recycle/resell/destroy your IT assets).

  • Delete personal data from IT assets before they are recycled, where possible.

  • Evaluate the nature of your business and the nature of the personal data which is held on the IT assets which you are disposing of (and the harm which may be caused to individuals if the data contained on those devices was subject to an unauthorised disclosure).

  • Treat any third party which is entrusted with recycling/reselling/destroying your IT assets as a 'data processor' (so that you have a legally binding written agreement in place which mandates security requirements consistent with your IT security policy) - the key point to remember is that as the data controller, you're responsible for breaches of the DPA even if they are caused by a third party.

  • Ensure that there is a clear and documented 'chain of custody' in relation to the disposal of your IT assets with roles and responsibilities clearly allocated (preferably, as part of your contract).

  • Undertake due diligence on any third party suppliers who are involved in the process to ensure that they are appropriately trained and experienced in the recycling/resale/destruction of IT assets & ensure that whatever guarantees are given to you as part of the supplier selection phase are recorded in your contract.

  • Ensure that you're aware of and have control over any sub-processors/sub-contractors which your service provider may use (again, as data controller, you'll be responsible for breaches caused by your service provider's sub-processors).

  • Risk assess your process and policy - who will check and confirm whether assets contain personal data, who will check and confim that personal data has been irretrievably removed from the assets, who will physically remove assets from your premises, how will the end to end process be specified and monitored, when/how will you verify your service provider's compliance with your policy/contractual requirements etc.

  • Actively monitor your service provider's compliance with your contractual requirements & don't just assume they'll comply with the contract - conduct a site assessment and audit your service provider's compliance on an ongoing basis (spot-checks would be advisable).

To Summarise...

In short, policies, training and control of your supply chain are key when disposing of IT assets which may contain personal data.  It is also key to ensure that those involved in the process have a clear understanding of what constitutes 'personal data' so that the process is applied in all relevant cases.

If you're considering implementing a 'bring your own device' policy, particular care should be taken to ensure that the user's own data and corporate data is partitioned so that corporate data (and access to corporate systems which hold personal data) are not accessible if your employee decides to sell their existing device (as 65% of UK adults currently do) or if your employee leaves your employment or their device is lost/stolen.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.