The recent monetary penalty of £200,000 issued by the Information Commissioner’s Office to NHS Surrey for failing to check the destruction of old computers highlights the importance of an asset disposal strategy.
NHS Surrey employed a data destruction company to wipe and destroy their old computer equipment. The service was provided for free, however an agreement was in place that any salvageable materials could be sold on once the hard drives were securely destroyed.
Unfortunately, thousands of patient records were found on a second hand computer bought through an online auction site. A further three computers were subsequently retrieved containing personal data.
The ICO ruled that NHS Surrey failed to observe and monitor the destruction process, and did not have a contract in place explaining the legal requirements of the data destruction under the Data Protection Act (DPA).
It is crucial that organisations continually risk assess their current disposal processes and carefully consider the vulnerabilities associated with each method of disposal. This applies not just to PCs and laptops, but to servers, printers, USB sticks, back up storage devices and paper records. Remember that any specialist service provider is considered a “data processor” under the DPA and a written contract should be in place with clear and precise guidelines on the services to be undertaken. Service providers should be monitored or audited where possible and certificates of destruction provided.
If personal data is compromised during the asset disposal process (even after it has been passed to a service provider) the organisation could face financial and reputational damage as a result a Data Protection Act breach . Therefore, it is essential that the disposal process is managed effectively as an integral element of an Information Security Management System.