ICO publishes guidance on secure disposal of IT equipment

The Information Commissioner has published guidance on the secure disposal of IT equipment that may contain personal data, after a number of recent incidents that led to substantial fines.

The most high-profile case saw a £325,000 fine imposed on Brighton and Sussex University Hospitals NHS Trust, after it was discovered that decommissioned hard drives were being sold on an internet auction site.

The ICO's guidance says that organisations should:

  • ensure that the responsibility of asset disposal is assigned to a member of their staff with a suitable level of authority;
  • complete a full inventory of all equipment that they have marked for disposal;
  • be clear about what will happen with devices when the organisation no longer needs them;
  • consider the security vulnerabilities associated with each method of disposal;
  • ensure they delete personal data before recycling devices, so that data is not accessible to others after the device has left their ownership;
  • be aware that any specialist service provider they use will be considered to be a ‘data processor’ under the Data Protection Act; and
  • have a written contract in place between them and the data processor, ensuring that there is an appropriate level of security in place.

The ICO said the DPA sets out that a written contract must be in place between the organisation and the data processor, so that both parties are aware of their obligations.

The guidance says organisations should ensure that their contract includes explicit direction on the services to be undertaken and that the data processor may only act in accordance with their instructions.

It says the contract should include an approved specification for IT asset disposal which is aligned to the organisation’s disposal/security policy. Full details of all downstream partners involved in the service should also be included.

The guidance says: “Any downstream partner contracts should include the same data controller specification for IT asset disposal as the minimum service level to be met.”

The ICO highlighted how the seventh principle of the DPA says that “appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data”.

The watchdog warned in the guidance: “If personal data is compromised during the asset disposal process, even after it has left your organisation, you may still be responsible for breaching the DPA so it is important to manage the process correctly.”

See also: Getting data destruction right by Alison Deighton