Search Onsite Data Destruction

ODD on Twitter

What's your Exit Strategy?

The following extract is taken from a paper delivered by Mr Ian Williams – Lead Policy Officer – Information Commissioner's Office titled "The ICO perspective on asset disposal" original source 

Data Protection Act 1998 – Schedule 1, Part 1, Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

What does principle 7 mean in practice?

Organisational measures data-protection-185

  • Vetting staff
  • Ensuring staff confidentiality
  • Having clearly written policies and procedures in place
  • Appropriate training

Technical measures

  • Safe place to store personal data
  • Appropriate security software depending on the nature of the data
  • Appropriate exit strategy for personal data i.e. measures to destroy, delete or erase data

Managing the lifecycle harddrive overwrite

  • Check what you have got? How valuable/sensitive is it?
  • Who's in charge?
  • Security measures
  • Organisational measures
  • Staff
  • Physical security
  • Computer security
  • Have an exit strategy!

Data controller and processor relationship

Data Controller (End User) ico logo

  • decides what to do with the data
  • is ultimately responsible if something goes wrong with the data
  • must ensure compliance with the Act
  • have a written contract in place

Processor (Third Party Contractor)

  • acts on instructions from the data controller
  • is not subject to sanctions by the DPA

Lessons learnt

  • Don't think that your responsibilities end at the back door odd web
  • Choose contractors carefully and make sure that they follow your instructions
  • Always have a written contract in place
  • If you are selling your hardware on make sure personal data is removed

In addition to Principle 7 Data Controllers should also be mindful of Principle 5, stock piling data devices intended for destruction could result in a breach against Principle 5. 

Data Protection Act – Schedule 1, Part 1, Principle 5

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Find Out More

Come and Meet The Regulators - March 14th 2013 - Ricoh Arena, Coventry

This seminar is FREE for Persons involved / responsible for disposing of redundant IT Equipment  Find Out More!

Onsite Data is a member of Advanced Digital Dynamics Group, committed to helping you Protect your Data and therefore Protect your Reputation.