Although there’s a wealth of documentation online around data protection, it still comes as a surprise to us that many of our customers don’t understand the importance of knowing exactly what happens to their end-of-life hardware after it leaves their building.
The truth is, nothing is more important than traceability. Making sure that your data-bearing hardware doesn’t end up on some random landfill is absolutely paramount when it comes to protecting potentially sensitive data about your students, staff or even members of the public. And we’re not saying that just to be dramatic. In 2011, BBC aired a Panorama documentary called “Track My Trash”, in which they revealed that Britain’s e-waste was being illegally leaked into West Africa. Posing a small business, the team placed a tracking device in an old TV set and paid a recycling company to dispose of it for them. No sooner had it arrived back at Sanak Ventures’ headquarters in Wembley, it was on its way to Felixstowe Docks, then shipped to Ghana before it finally ended up in Lagos, Nigeria.
It’s easy to translate a broken TV set in your mind to an old school admin PC, which within it is hard drive holding pupil records. And once it’s over there – there’s no telling what might happen to it. And although the documentary was 5 years ago, we’re sorry to say that there’s still active companies out to make a profit with very little disregard for regulations or the safeguarding of your data.
The so-called “white van men” of the industry will advertise a quick and reliable service for a seemingly bargain price. They’ll then come and collect your old hardware in a unsecured vehicle, drive away and then… who knows. You have no record of where it goes after that. And they certainly don’t. Has your data been completely destroyed? Is it completely irretrievable? It’s easy to see how anyone could get hold of your data in this situation.
Not only is this approach ethically unsound, it also flouts data regulation. And being in breach of data protection regulation is potentially disastrous. A data “leak” can result in fines of up to £500,000 issued by the Information Commissioner’s Office (ICO), not to mention the potentially grave consequences for the subjects of the data.
The Data Protection Act (1998), states that a monetary penalty notice (MPN) will be issued if it’s determined that “the data controller knew/ought to have known there was a risk that the contravention would occur and that it would be of a kind likely to cause substantial damage or substantial distress but failed to take reasonable preventative steps”. This means that the data controller (you) needs to be very aware of exactly where their hardware is ending up, which should include researching and selecting a reputable and compliant recycling company.
So, how do you make sure this doesn’t happen to you? It’s about selecting the right people to take care of your end-of-life hardware. With that in mind, here’s what a compliant, airtight and truly traceable IT recycling process looks like.
- You keep a record on your system of hardware which is being disposed of via the recycling company, with serial numbers and any of your own identifiers (asset tags). You note which hardware is data-bearing. And we don’t need to tell you by now that even if you think you’ve wiped a hard drive, the data is not irretrievable.
- You arrange collection of the hardware with an accredited, compliant and reputable company.
- The recycling company comes and collects your hardware in a secure, tracked vehicle. The hardware is checked and weighed onto the van.
- The van and the hardware arrive at the recycling facility. Is it checked off the van and weighed again.
- The hardware is processed. It is scanned into the company’s system.
- Any data-bearing hardware is securely and completely wiped by industry-leading software. This is noted on the system.
- Hard drives, solid state drives or any other data storage devices that are past their usable life are completely destroyed (in some cases, shredded into 6mm strips).
- Wherever the hardware goes onto next – this is noted in the system. If it’s refurbished and reused, broken up into parts or broken down into its constituent elements, that’s noted on the report. Others should offer a report which you will receive once the process has been completed.
As you’ll have noticed, not only is the above process completely traceable from start to finish, it also ensures accountability. Should hardware get misplaced and a data breach occur, it’ll be very easy to pinpoint exactly where said hardware went missing, and who’s responsible.
If you’re selecting a recycling partner for your IT hardware, make sure you not only question them thoroughly about their processes, but you also have a signed contract or service level agreement (SLA), which sets out this process. That way both you and the company are committed to this, and should a mistake occur at their end, you are not culpable. It’s up to you to select a reputable company who will handle your data correctly. Be careful out there!