In-depth

Weapons of mass data destruction

What's the best way of securely disposing of your enterprise's sensitive data? Davey Winder investigates...

There's more to IT security than protecting the valuable data an enterprise obtains, uses and stores. How you dispose of it when the hardware it's sitting on reaches end-of-life should be a major concern too.

These days, only a fool thinks clicking 'delete' is enough to wipe data from a hard drive or that a quick disk reformat will do the trick. Smashing the drives with a hammer isn't a smart move either. So how should the enterprise tackle this problem, and what are the best weapons of data destruction? IT Pro has been investigating.

End-of-life errors

When NHS Surrey was fined 200,000 by the Information Commissioner's Office (ICO) last year for unwittingly releasing data on 3,000 patients to the general public, the enterprise should have sat up and paid attention.

The organisation had switched from an approved IT equipment disposal firm to another company that offered to destroy its data for free. To make money from the deal, the latter company retains any proceeds from the subsequent sale of the hardware.

It all went wrong for NHS Surrey, according to the ICO, when it failed to put in place any contractual governance over the security of that data disposal.

For example, the data protection watchdog said NHS Surrey should have carried out a proper risk assessment and put in place a written agreement with the provider stating the hard drives would be physically destroyed. Furthermore, it said certificates containing the serial numbers of each drive that had been destroyed should have been issued too.

These days, only a fool thinks clicking 'delete' is enough to wipe data from a hard drive or that a quick disk reformat will do the trick.

"[It should have] taken reasonable steps to ensure compliance with those measures, such as effectively monitoring the destruction process and maintaining audit trails and inventory logs of hard drives destroyed by the company based on the serial numbers in the destruction certificates for each individual drive," the ICO said.

Now this may sound a tad harsh on NHS Surrey who, after all, did have written assurances from the company concerned that the data would be securely disposed of. However, the Data Protection Act (DPA) clearly states data controllers have to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data.

The DPA specifically requires 'outsourced processors', which includes anyone disposing of equipment containing data covered by the Act, provide sufficient guarantees to meet the technical and organisational measures bit mentioned previously.

It would appear the third party in the NHS case was crushing the hard drives before selling on the computers in the belief this constituted securely disposing of the data held upon them. The fact purchasers were able to find data on them would suggest not all drives were removed and crushed. But, even if they were, it would have been no guarantee the data was actually permanently erased.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

NHS adopts predictive AI tech from controversial startup
public sector

NHS adopts predictive AI tech from controversial startup

26 Apr 2021
NHS to digitise coronavirus testing with new Scandit deal
digital transformation

NHS to digitise coronavirus testing with new Scandit deal

8 Apr 2021
Gov 'forced into major U-turn' on NHS deal with Palantir, privacy group claims
Policy & legislation

Gov 'forced into major U-turn' on NHS deal with Palantir, privacy group claims

1 Apr 2021
Hancock reveals digital future of NHS
digital transformation

Hancock reveals digital future of NHS

18 Mar 2021

Most Popular

UK gov considers blocking Nvidia's takeover of Arm
Acquisition

UK gov considers blocking Nvidia's takeover of Arm

4 Aug 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Preparing for AI-enabled cyber attacks
Whitepaper

Preparing for AI-enabled cyber attacks

22 Jul 2021