Getting data destruction right

Waste landfill iStock 000005619965XSmall 146 x 219A failure to destroy sensitive data securely can put public bodies at risk of hefty fines from the Information Commissioner's Office. Alison Deighton sets out how they should go about it.

Regular readers may recall our recent article regarding fines handed out to two public authorities by the Information Commissioner following third party disclosure of confidential information which ought to have been destroyed.

In this earlier article we focused on the lessons arising for local authorities when using contractors to carry out data processing activities on their behalf. In this article we consider the requirements the Data Protection Act imposes in relation to the destruction and deletion of personal data and the practical steps that local authorities can take to ensure that personal data is destroyed securely.

Before we look at the practical requirements which organisations should follow, it is worth recapping on the facts of the two recent cases.

In the first instance, a contractor was appointed by a Hospital Trust to destroy 1000 decommissioned hard drives. This contractor, in turn, engaged a third party to carry out the work. No contract was entered into between these two parties and only rudimentary checks were carried out on the sub-contractor. The drives contained the unencrypted personal data of tens of thousands of patients and employees including names, addresses, dates of birth, salary details and highly personal medical records. Despite the sub-contractor providing a certificate of destruction for the drives, over the following months 232 of the drives were sold online via auction sites. The Trust was handed a record £325,000 fine.

The second case involved a contractor engaged by a council to digitise pension records. The processor was provided with hard copy files which were then scanned on to disc. The discs were returned to the authority, albeit unencrypted and by non-secure post. However, 676 paper files were discovered at overflowing public recycling bins. The records contained confidential employee data including names, addresses, dates of birth and salary information. The authority was fined £250,000.

Legal requirements for destruction of personal data

In both of the cases, fines were imposed on public authorities because personal data was not destroyed securely. There are two requirements of the Data Protection Act that are relevant here. Firstly, the data protection principle requires local authorities to ensure that personal data is not kept for longer than is necessary for the purpose for which it was collected, i.e. data must be destroyed when no longer needed. Secondly, it requires authorities to keep personal data securely and put in place appropriate measures to prevent unauthorised access.

In order to comply with these requirements local authorities therefore need to identify appropriate data retention periods for different categories of personal data and, when those retention periods expire, ensure that adequate procedures and processes are in place to dispose of the data securely.

Practical considerations

The Data Protection Act does not specify the methods by which personal data should be deleted or destroyed. Local authorities therefore have some flexibility in relation to the methods deployed, provided that they are secure.

In relation to manual files, the position is relatively straightforward. The papers need to be destroyed (for example through incineration or shredding) in such a way that the data cannot be reconstituted. Local authorities should be aware of the following risks:

  • Some shredding facilities do not shred data to the standard required to ensure that data cannot be reconstituted. Care therefore needs to be taken to check the method of shredding to ensure that it is adequate.
  • Ensure that confidential waste bins cannot be accessed by unauthorised staff. Confidential waste bins should be locked and only senior personnel should have authority to permit access.
  • Ensure that confidential waste that is waiting to be destroyed is kept in a secure area and do not leave confidential waste sacks in common parts of a building or outside in the street.
  • Where third parties are used to dispose of data ensure that appropriate contracts are in place with robust security obligations.

For electronic data, deletion may be achieved either by physical destruction of the media on which the data is held, as should have happened in the Hospital Trust case, or by use of deletion software. There are benefits and disadvantages of each approach.

Physical destruction involves physically destroying the media so that it can no longer be used. This is a cheap and effective method of destroying data, and would be most appropriate for removable media such as CDs, DVDs, memory sticks or, as in the Hospital Trust case, removable hard drives. However, where it is not possible to remove the media on which the information is stored from the device, (for example those devices with integrated hard drives), physical destruction will necessitate the destruction of the device itself and is a potentially costly solution.

Whereas, secure deletion software can be used to overwrite data which enables the media to be used again. Although the process is simple and relatively cheap, it can be time consuming to overwrite large drives and it may be necessary to overwrite the media several times to ensure deletion.

Care must be taken to ensure that electronic records which appear to have been deleted (so far as the user is concerned) have in fact been permanently removed from an organisation's systems. "Deletion" of electronic data may refer not only to the irretrievable, permanent destruction outlined above, but also to archiving information in an organised, accessible manner, albeit in a way which reduces its availability and the risk it being misused. "Deletion" may also simply refer to the process of sending records to a subsequently un-emptied electronic wastebasket. As a result, electronic records which are referred to as "deleted" are not necessarily destroyed, and may remain accessible in some form on the organisation's systems.

If data has not been removed permanently from an organisation's systems then technically it will still be subject to all the requirements of the Data Protection Act, including the requirement to comply with subject access requests. Fortunately, the Information Commissioner's Office (ICO) recognises the potential difficulties in permanently destroying electronic data and has said that it will adopt a more realistic approach to enforcement in cases where an organisation cannot realistically ensure electronic deletion.

In a recent guidance note the ICO indicated that where it is not possible for an organisation to permanently destroy electronic data (for example because there is a time lag before data is over-written or because it is impossible to delete the relevant records without also deleting data that needs to be retained), the ICO will be satisfied if the data is put "beyond use" and may suspend data protection compliance requirements accordingly.

In order to benefit from this relaxation of obligations, local authorities will need to demonstrate that they meet four criteria:

  • Firstly, that they are not able to use the personal data to inform any decision in respect of any individual. This might be achieved for example by deactivating the media from "live" systems, or removing the relevant storage media from the hardware itself.
  • Secondly, that no other organisation has access to the personal data.
  • Thirdly, that the data is protected by appropriate technical and organisational security measures.
  • Fourthly, the authority must commit to destroying the data permanently as and when this becomes possible.

Where these criteria are met, the ICO has indicated that individual's access rights will not be strictly enforced and nor will the ICO enforce the requirements of the data protection principles in relation to this information.

The issues can therefore be complex when considering how to securely dispose of electronic data. Authorities should bear in mind the following:

  • If a third party is contracted to destroy hardware, a detailed inventory of equipment will need to be prepared and the contractor required to provide destruction certificates for each piece of equipment detailed on the inventory. Local authorities considering outsourcing this task to a contractor will need to ensure that the requirements of the Data Protection Act which apply to outsourcing arrangements are met. Audit trails and inventory logs of the movement of records and drives scheduled for deletion should also be maintained and regular monitoring undertaken to ensure that security obligations are met.
  • The effectiveness of methods of "deleting" data can depend on the device itself. For example, it may be possible to restore a device to its factory settings. Checks should be made with the relevant manufacturers to confirm that data removed in this way is permanently deleted. Reformatting a device to recreate its original structures and file system is generally not sufficient. Records removed in this way will often be easily recoverable using freely available software.
  • If it is not physically possible to delete electronic data, consider whether it is possible to meet the ICO's requirements to put the data 'beyond use' and therefore benefit from the suspension of strict subject access and data deletion requirements.

Alison Deighton is a partner and Head of the Data Protection and Privacy team at TLT Solicitors. She can be contacted on on 0117 917 8016 or by This email address is being protected from spambots. You need JavaScript enabled to view it..