By Bonnie Drury and Ezra Steinhardt
The Information Commissioner’s Office (ICO) has produced new guidance on “IT asset disposal for organisations” to help data controllers understand their responsibilities relating to the destruction and disposal of electronic equipment. The guidance, which addresses one of the areas where organizations are most frequently fined under the UK Data Protection Act 1998 (DPA), explains how controllers should create an asset disposal strategy, take measures when engaging IT disposal companies, and assign responsibility for IT asset disposal within their organization. These measures are intended to help controllers comply with the seventh principle of the DPA, known as “information security”, which requires data controllers to take measures to ensure the security of the personal data they process.
There are three main elements to the ICO’s guidance:
- Create an asset disposal strategy. The organisation should formulate an information security policy that includes a section on procedures for IT asset disposal and data deletion. This section should include information about the devices used by the organization to process personal data; the nature of such personal data; how the devices will be disposed of when they are no longer needed; and how the risks associated with the disposal process will be assessed.
- Engage an IT disposal company. If the organization employs a specialist asset disposal company to deal with the devices, this company will likely be defined as a “data processor” under the DPA. As a result, a written contract should be put in place between the parties, detailing the organization’s instructions for disposal of the assets. The organization should monitor and audit the disposal process to ensure that the asset disposal service provider is complying with its instructions.
- Designate an asset disposal champion. A member of the organization with a suitable level of authority should have responsibility for IT asset disposal. This person should be aware of which devices leave the organization, what personal data is stored on them, and who has responsibility for erasing the personal data.