White Paper

May 2012

IT Disposals: What every Data Controller needs to know

Author: Andy Howell, Stone Group Introduction
The Waste Electrical & Electronic Equipment (WEEE) Directives introduction in 2007 enforced new disciplines when disposing of such equipment and as a general piece of legislation preventing a toxic time bomb going to landfill could be considered something of a success. With the Data Protection Act 1998 having been in force by almost a decade at that stage, little thought was initially given to the specific arena of IT Disposals and residual data. It was simply assumed that data controllers within the disposing organisations would have sanitised all sensitive data before any transfer of custody. Real world reality, of course, is different. Pressures on resource and a general lack of foresight means no financial provision was made when acquiring IT for its disposal, and with the austerity of recent years its little wonder none has magically appeared as awareness has risen. Add to this the plethora of seemingly-competent IT Asset Disposal (ITAD) companies spawned in the wake of the WEEE Directive, what harm could come by allowing the third party operator engaged to also deal with the data sanitisation? After all, every one claims to be registered in some form or another and provide a robust service that almost always includes data destruction in some form.

A 375,000 lesson from Brighton

Well, lets be clear here - enormous harm can arise from this relaxed approach. This is just what Brighton and Sussex University Hospitals NHS Trust did and as a result the Trust is currently under threat of having imposed the largest fine ever for a breach of the Data Protection Act at 375,000. The trust engaged a registered contractor for its IT disposal to apparently include destruction of hard drives. These drives were subsequently stolen by an employee of the contractor and sold on eBay, apparently still containing information on tens of thousands of patients.

Data Protection Act and the Information Commissioner

The Information Commissioners Office (ICO) is the Government arm policing the Data Protection Act, and whilst most data controllers know the maximum fine the ICO could impose rocketed from 5,000 to 500,000 in April 2010, searching for clear and concise guidance on just how an organisation protects itself from becoming the next Brighton produces scant results.

Page 1 of 5

Andy Howell, Stone Group 2012

IT Disposals: What every Data Controller needs to know

Given a 2009 analysis* suggested 12% of all data losses occurred through improper disposal, how can this be? Well it would appear the landscape may finally be changing and it is widely expected that having consulted with the Asset Disposal and Information Security Alliance** (ADISA), the ICO will soon be publishing guidance notes setting out best practice for IT disposals that should finally help all data controllers formulate a policy to protect their organisations.

What you really must know

Whilst any process involving human interaction will never be totally bullet-proof, the expectation is that the ICO will issue guidance that (if adhered to) would allow the best practice defence should things go wrong. This guidance is expected to be based around four key requirements when engaging an ITAD to perform data destruction on your behalf;a) The service must be contracted. A contract defines the obligations of each party and will be your irrefutable evidence that you contracted robust and secure data destruction. Lest we forget, responsibility for all data processing functions (including destruction) rests with you as data controller; b) The service must specify the use of appropriate tools. In the context of data destruction, this could entail total physical destruction of the hard drives or more typically today with data erasure (overwriting) software. As to whether these are appropriate or not hard drive shredding should result in a fragment size corresponding to the impact level of the data contained and erasure software should be independently verified as doing exactly what it says on the tin. In the UK, this would mean CESG*** approval; c) The ITAD must document an agreed methodology that forms the basis of the service offering. Common sense this one, but if you dont know how the process should flow, how can you verify its providing the robustness you will be expected to demonstrate? d) The ITAD and service must be subject to external auditing for verification. Extending on the above point, this actually helps the data controller by sharing the diligence obligation with a third party. External auditors must to be suitably qualified.

No Disposal Budget and Pressure to recover Asset Value?

Selection of your ITAD partner, as we can see from the above, may ultimately prove one of most critical and far-reaching decisions you will make as data controller. Particularly so as European Commission proposals seek to place more legal responsibility on your shoulders. That said, its clear from the current landscape that most organisations face the eternal paradox the choice between optimum asset value recovery and robustness of process.

Page 2 of 5

Andy Howell, Stone Group 2012

IT Disposals: What every Data Controller needs to know

And generally speaking, therein lays the problem. Asset value recovery tends to be conducted by sharing the realisable value of the asset between the owner and the disposal company. The lure of greater returns will be offered by ITADs with lower overheads, yet this can only be achieved by compromising process. The old adage that cost neutral =risk in the realms of ITAD selection holds true more now than ever, but this document will seek to demonstrate how it may be possible to both protect your organisation and achieve optimum asset value recovery. Pressure as there may be on all matters fiscal, dont lose sight of your priorities. The average value of a retired desktop may be as little as 20-30. A fine of up to 500,000 will not only erode any financial benefit you may have derived from corner cutting, it may also irrevocably damage the reputation and integrity of both the organisation and you personally.

Considerations when selecting your ITAD

Whilst theres obviously more than one way to achieve compliance with the guidance expected from the ICO, engaging an ADISA accredited ITAD on a contracted basis with a clearly defined methodology that specifies the tools to be used would be a great start. I can tell you from Stones own experiences, the audit process is conducted thoroughly by a world renowned firm of ISO 27001 auditors and scrutinises fully at least 130 aspects of the credentials, status, registrations, logistics, facilities, staff and other resources of the business together with a step by step examination of its process and systems. As part of on-going accreditation, ADISA also performs a spot audit during each membership year. Most ADISA accredited ITADs should be able to provide the necessary contract documentation and method statements and will invariably use appropriate tools.

The White Elephant of On-Site Data Destruction

Many organisations, paranoid about releasing data-bearing assets to an unknown third party, insist on data destruction being performed on-site. As a knee-jerk blanket policy, this may appear to hold water but Id ask you to actually look beneath the surface a little to see the drawbacks. Stone has frequently been asked to complete such work only to find its staff being pointed to a basement, hospital corridor, shed or even shipping container in the grounds outside to perform the tasks. Shredding Lorries are often too large to access securely the client facilities and may require significant auxiliary power supplies. Noise is also frequently an issue, particularly when operating at hospitals or similar sites. Having spent in the region of 1 Million creating a robust and secure facility that is custom built to perform ITAD processing, at Stone wed suggest much greater efficiency, control and security can be

Page 3 of 5

Andy Howell, Stone Group 2012

IT Disposals: What every Data Controller needs to know

derived using proper transfer of custody and client engagement documentation before allowing the assets to be processed in such a purpose-built facility. Greater efficiencies result in reduced processing costs and increase the net asset value return. Happy days for all.

Summary
Organisations these days are complex, and we all have to dance for different puppet masters. The CEO will tell you brand/organisation integrity is everything, and you must never embarrass him with the stigma of a data breach. The FD will no doubt tell you theres no budget to engage a robust operator to dispose of redundant IT, and will no doubt press you further to achieve the best return. So how can you please them both? Inevitably operating an ITAD business with a high level service offering will incur sizeable overheads, so dont expect it to be the cheapest on process. That said, the right operator should be able to demonstrate higher than average market returns and may well be able to negate any additional costs of service provision through enhanced value recovery. Check this simply for yourself Where are their downstream markets? Are they a Microsoft Authorised Refurbisher? Does the reuse channel fit with your Corporate Social Responsibility policy? If you can find an operator that gives you the right answers to these questions and can also provide the ICO compliant service contract then congratulations, youve found utopia.

*Source KPMG Data Loss Barometer **The Asset Disposal and Information Security Alliance was formed in 2010 as a trade body bringing certification and regulation to those companies operating in the IT Asset Disposal arena. ADISA is chaired by John Sutton, a former lead policy developer at CESG. He is the author of Information Assurance Standard 5 (IAS5), which sets out the UK national standards for the secure disposal of retired IT assets and also the secure sanitisation of sensitive data. ***CESG in the Communications Electronics Security Group, a division of GCHQ, and is the National Technical Authority for Information Assurance.

Page 4 of 5

Andy Howell, Stone Group 2012

IT Disposals: What every Data Controller needs to know

About the Author

Andy Howell is Recycling Director at Stone Group and has been involved with Information and Communications Technology since 1986, focussing on developing a secure & robust IT disposal process at Stone since January 2009. As a protagonist of the need for greater regulation and control within the ITAD sector, Andy was a founder member of the ADISA Advisory Council and continues to serve as a member of the ITAD Council. Established in 1991 Stone is the UKs largest privately-owned IT hardware manufacturer and the only UK manufacturer to have invested in its own recycling department. Dedicated to the UK Public Sector, Stone is also a direct Microsoft Authorised Refurbisher and the only hardware manufacturer globally to have achieved a Pass with Distinction for its IT Disposal activities against the ADISA ITAD standard. Pass with Distinction requires an appraisal result exceeding 90% and in Stones case this was achieved against ADISAs enhanced 2012 standard.

Stone Group
T: 08448 221122 Fax: 08448 221123 www.stonegroup.co.uk Granite One Hundred Acton Gate Stafford ST18 9AA

Page 5 of 5

Andy Howell, Stone Group 2012