Data Protection implications of asset disposal - ICO issue guidance
The ICO has recently issued guidance on secure disposal of IT equipment, the full details of which can be found here: IT disposal - Data Protection Guidance for Organisations - ICO
There were a couple of points in the overview that stood out for me though. Here's all their points, but the last two are interesting...
I've always erased hard disks before handing them over, but the company we use do their own erasure, which suggests not everyone does. However, we've never entered into a written contract with them, and according to the ICO, this is required under the DPA if they are doing the erasing for you. I wonder how many schools do this?
When disposing of old IT equipment you should:
- ensure that the responsibility of asset disposal is assigned to a member of its staff with a suitable level of authority;
- complete a full inventory of all equipment that you have marked for disposal;
- be clear about what will happen with devices when you no longer need them;
- consider the security vulnerabilities associated with each method of disposal;
- ensure you delete personal data before recycling devices, so that data is not accessible to others after the device has left your ownership;
- be aware that any specialist service provider you use will be considered to be a ‘data processor’ under the DPA; and
- have a written contract in place between you and the data processor, ensuring that there is an appropriate level of security in place.