Erase and rewind – some tips on the safe destruction of data

How do you ensure that redundant hardware is scrubbed of sensitive or personal data?

As the data controller, it will be your responsibility (under the Data Protection Act) to ensure that the data is securely destroyed – even if the kit on which it is stored belongs to a contractor. If data is not properly destroyed, then there is a risk that it could be used to help perpetrate fraud or identity theft, or allow competitors to access your confidential information.

We’ve all read stories about hard drives full of confidential information ending up on eBay. As the volume of data held on servers increases, the more important it is to ensure that the data in question is destroyed when the kit or media upon which it is stored is no longer required.

However, there are two competing industries. On the one hand, plenty of legitimate businesses specialise in recovering apparently lost, corrupt or deleted data – whether it is for the purpose of forensic investigations or for disaster recovery purposes. On the other hand, another sector is trying to help people permanently destroy that data. The techniques used by the data recovery experts show that erasing (or even erasing and re-writing) is not sufficient to stop that data being recovered.

Here are some things to consider:

  • Firstly, develop and adopt (and follow) a policy setting out your organisation’s requirements in respect of the destruction of data. This is likely to involve adopting relevant British and international standards and certifications.
  • The safest thing (in terms of data security, if not avoiding trips to A&E) to do is to remove all drives from your hardware before you dispose of that hardware (replacement drives are cheap). But then what do you do? You could shred the drive (making sure that it is destroyed such that it cannot be reconstituted) or have it degaussed. For CDs and DVDs, as any student will tell you, it is fairly easy to melt them into oblivion.
  • If you do not wish to remove a drive from the hardware before disposal or do not wish to destroy it (or any other magnetic media), you could adopt a recognised erase/re-write standard – for example, the US Department of Defense standard.
  • If you are dealing with a contractor, you should ensure that your contract specifies what the contractor should (and should not!) do. Consider whether the contractor should be responsible for disposal or destruction of media and drives, or whether these should be done under your control.
  • Finally, ensure that your contract with your contractor includes appropriate provisions dealing with liability for a failure to follow those procedures, and rights to terminate the contract.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

February 2010
« Jan   Mar »

%d bloggers like this: