Q&A: Getting rid of old IT equipment safely and securely
Data expert Simon Walsh answers key questions on data protection and environmental obligations when replacing IT and mobile phone hardware
What are the data protection requirements for files and data stored or processed on practice computers?
While most GPs are aware of their data protection obligations for safeguarding hard copy documents and preventing unauthorised access to data held on computers while those files are active, many do not understand the need to protect those files even after they’ve been deleted from a computer.
Paper documents must be shredded or incinerated when they are no longer required and it’s easy to monitor the physical destruction of the data.
But it’s much more difficult to verify deletion of files held on computer as they may be embedded in the old hardware.
However, the same data protection rules do apply so all redundant IT hardware, including PCs, printers, laptops and hand-held devices must be professionally erased by an accredited user of data sanitisation software.
Can data be securely erased by the in-house IT team without bringing in a third party provider?
An in-house team can carry out the erasure as long as a data erasure software solution, such as Blancco or equivalent software approved by the national technical authority for information assurance (CESG), is used.
The recommended and most secure approach would be to employ a reputable data sanitisation specialist to provide an audited report detailing the secure processing of every item to ensure complete accountability and traceability, or to physically destroy the hard drive with an industrial guillotine or incinerator.
Data sanitisation is preferable as EU law prevents the disposal of IT equipment to landfill.
Healthcare organisations may also be able to recover some of the value of the redundant IT assets from their data sanitisation partner through the redeployment of securely erased equipment.
How can we be sure that the data sanitisation specialist we choose will be thorough?
When selecting a supplier to help with this, look for an ADISA (Asset Disposal & Information Security Alliance) member, as this will provide a guarantee of best practice and secure data erasure expertise.
ADISA is a group of leading risk management, compliance and data protection experts and demands high standards of data sanitisation from its members, who must achieve a minimum score from a stringent assessment in order to gain accreditation.
It’s also important to ensure that the data erasure specialist chosen is a certified user, and preferably Gold partner of Blancco data erasure software, to guarantee maximum levels of security. You should expect full account management and detailed reporting for every item of hardware.
Finally, the owner of the hardware remains accountable for any lapse in data security while the IT or mobile phone equipment is in transit, so look for a supplier or an ADISA-approved logistics company that will collect everything in their own unmarked vehicles. This ensures complete accountability throughout the process.
What are the consequences if there are lapses in data protection due to failures in sanitising redundant IT hardware or mobile phone handsets?
The rules relating to the handling of individuals’ personal data are not only encased in law, they are also vigilantly policed by the ICO (Information Commissioners’ Office) and any failures to protect data can – and often do – result in onerous fines, often reaching five figure sums.
The example of NHS Surrey last summer provides a cautionary tale. While the health authority ostensibly did everything right by employing a third party ‘specialist’ to destroy their data and dispose of the hardware, a cost saving approach left the authority exposed to data protection failings. The data destruction company had offered a ‘free’ service in return for the right to sell on the equipment, which was then sold on eBay with thousands of patient records still accessible on the hard drives. The result was a £200,000 fine and legal proceedings.
The case is an important reminder that the owner of the IT and mobile phone equipment remains responsible for maintaining data security even if its data erasure obligations have been outsourced.
How can we recover some of the value of the redundant IT assets through redeployment of securely-erased equipment?
The financial returns on any redundant equipment will depend on that equipment’s resale value once erased so each item’s age, specification and wear and tear will all affect the amount of return.
However, working with a data sanitisation specialist will ensure that equipment can be re-used without any data protection implications, ensuring compliance, providing an environmentally-responsible approach to asset disposal and potentially creating a revenue stream that can be re-invested in new IT equipment.
Where can I find impartial information about data protection requirements and obligations?
The ICO (Information Commissioners Office) has also published information on selecting an ITAD (IT Asset Disposition) provider. However, scant mention is made of the data protection implications of the incorrect disposal of redundant IT and mobile phone hardware, with the BMA Confidentiality Toolkit simply stating that ‘electronic data should be destroyed using appropriate data destruction software’.
Both guides signpost healthcare professionals to the Department of Health’s Information Governance Toolkit, which has a ‘Secure Disposal or Re-use of Equipment’ section, outlining obligations and discussing a best practice approach.
This guidance clearly states that equipment must not be passed on or re-used without first ensuring that all sensitive or confidential data has been ‘irrevocably destroyed’. It also cautions that a full record of the devices/drives erased and the destruction method used must be kept by any third party contracted to provide the service.
Simon Walsh is the co-founder of secure data sanitisation specialist ShP.