In July 2013, NHS Surrey was fined £200,000 for failing to properly ensure sensitive patient records had been securely erased. The story came to light when a member of the public purchased an ex-NHS PC unit from eBay, only to find a folder of sensitive patient records right on the desktop. The NHS used the services of an external data destruction company, yet was penalised for its failure to check that devices had actually been wiped. This case, like others, demonstrates how costly it can be to overlook any stage in securely erasing data.
Data is the lifeblood of the modern organisation. It ensures businesses can interact with customers, suppliers and other stakeholders effectively. It guides the decisions of senior managers and enhances the efficiency of its workers. Securing this data is critical, and with the wealth of regulation and legislation guiding its use, it is imperative your organisation secures it – even on devices scheduled for decommission.
What data is housed on your redundant IT assets?
The impending General Data Protection Regulation increases the breadth of information classed as personal data. It now stretches to include IP addresses, cookie files, and any other piece of information that could identify an individual. Redundant PC units, laptops, server equipment, storage devices, printers or fax machines can all capably store this data.
If this data falls into the wrong hands, it won’t only be a case of your corporate identity being tainted, you may also liable to heavy financial penalties – up to £17m as of May 2018. Despite this threat, the redundant IT assets your organisation holds provide opportunity to broaden your CSR initiatives, demonstrate your sustainable agenda and recoup some costs.
Securely and compliantly erasing data
There are no shortage of compliance and regulatory issues to consider when making plans for redundant IT equipment. Some of this legislation governs how data should be securely erased, when it should be destroyed, how assets are disposed of and how materials within equipment are sustainably recycled.
General Data Protection Regulation (GDPR)
GDPR marks one of the biggest evolutions in data protection law. It introduces new rights for individuals as well as vastly increasing the accountability of organisations in the case of a data breach – as well as encouraging organisations to introduce security ‘by design’ into IT infrastructure and systems.
Your organisation may need to undertake an information and equipment audit to ascertain the types of data processed, the locations of personal data and access modes. Once this has been established, you may need to centralise data such as customer records to conform with the new set of citizen’s rights.
Redundant IT equipment may be storing old, outdated records, or even records that you have no longer have the right to process.
Payment Card Industry Data Security Standard (PCI-DSS)
If your organisation processes any form of cardholder information or takes payments through credit/debit cards, you will be aware of the PCI-DSS standard. In February, version 3.2 becomes the new required standard, and this will influence how you deal with redundant IT assets.
The third requirement of PCI-DSS (items 3.1 to 3.7) describes how cardholder data should be secured and erased when there is no legal or commercial reason to keep hold of the data. Organisations are encouraged to produce a formal data retention policy to identify where all data resides to be fully compliant.
The PCI Security Standards Council recommends that organisations securely wipe, degauss or shred equipment that has housed cardholder data. They also recommend securing cupboards where to-be-disposed equipment is stored.
HMG Infosec Standards
In the UK, data wiping is overseen by the Communications Electronics Security Group at the National Cyber Security Centre. They recommend that, at a minimum, high-impact data is securely erased as per HMG Infosec Standard No. 5, the standard that government bodies are required to meet.
The process involves filling disks and solid state drives with randomly generated data, to ensure the removal of all previous data. If a disk cannot be effectively wiped, then the standard dictates that equipment should be physically destroyed, through shredding or by using a degausser.
It is generally considered best practice to treat all data as high-impact data, especially where the data contents of redundant equipment is unknown.
When disposing of redundant IT and electrical equipment, organisations are bound by environmental legislation, principally in the following areas:
- The Waste Electrical and Electronic Equipment Directive (WEEE) and corresponding regulations aim to reduce the quantity of waste electrical and electronic equipment produced and increase its reuse, recovery and recycling. Under these regulations, the obligation broadly lies with producers of electrical and electronic equipment for ensuring that WEEE is treated and disposed of in an environmentally sound way. If a business that generates WEEE does not use a producer take-back scheme, that business is obliged to dispose of its own WEEE in line with the waste duty of care outlined above.
- Some WEEE is classified as hazardous waste due to the presence of hazardous components or substances, for example fluorescent tubes, nickel-cadmium batteries and cathode ray tubes. If deemed hazardous (see the Government’s list of WEEE classified as hazardous), there are strict controls which apply from the point of its production and govern its movement, management, recovery and disposal.
- As per section 34 of the Environmental Protection Act (1990) organisations have a waste duty of care, to ensure equipment is stored, transported and disposed of without harming the environment. This duty of care applies from when the waste is produced until it has been received by a business that is authorised to deal with it. The business receiving the WEEE must have an appropriate Waste Carrier’s Licence if they are transporting the waste, and an appropriate environmental permit or exemption for the site(s) to which the WEEE is being taken. Read DEFRA’s waste duty of care code of practice.
- The Transfrontier Shipment Regulations govern the movement of recyclable materials across borders. They relate to non-hazardous (‘green list’), waste which can legally be shipped for recovery between any OECD (Organisation for Economic Co-operation and Development) countries (waste for disposal and exports of hazardous waste are largely not permitted). These shipments are highly regulated, and require prior notification and written consent from the environmental regulator of both home and destination countries.
Financial penalties for noncompliance are growing, as is the intangible cost of sensitive data falling into the wrong hands. Organisations need to, crucially, secure data and ensure that redundant IT assets are properly disposed of to avoid hugely negative consequences.
Equally, the processing of redundant IT equipment provides organisations with an opportunity. Securely, compliantly and sustainably processing this equipment can enable an organisation to build CSR leadership in your industry.
Processing redundant equipment requires a strategy, one that ensures your organisation keeps secure and complies with the wealth of legislation. Premier Sustain’s Renew IT service has been designed to assist organisations with clearing redundant IT and electrical assets compliantly and sustainably. We are fully insured, compliant with all UK and EU legislation and use NCSC certified data erasure software to guarantee secure erasure.