Privacy & Information Security Law Blog

On November 20, 2012, the UK Information Commissioner’s Office (“ICO”) published guidance on IT asset disposal for organizations (the “Guidance”) to explain “to data controllers what they need to consider when disposing of electronic equipment that may contain personal data.”

The Seventh Principle of the Data Protection Act 1998 (“DPA”) states that appropriate technical and organizational measures should be taken against accidental, loss or destruction of, or damage to, personal data. As the Guidance states, this means that data controllers “must have appropriate security in place to prevent the personal data you hold from being accidentally or deliberately compromised. This is relevant in the IT asset destruction and recycling process.”

The Guidance also emphasizes that “[i]f personal data is compromised during the asset disposal process, even after it has left your organisation, you may still be responsible for breaching the DPA so it is important to manage the process correctly.”

The Guidance offers three key suggestions for disposing of electronic equipment:

1. Create an asset disposal strategy: The Guidance recommends adding a section to the organization’s security policy that addresses the IT asset disposal process. When developing a strategy, organizations should look at how devices will be disposed of when they are no longer needed, consider conducting a risk assessment of the disposal process, identify which devices contain personal data and the nature of the personal data (in order to assess the risk of harm if compromised), and consider using a third-party service provider to remove IT assets.
2. Select an IT asset disposal company: The Guidance states that where a data controller uses a specialist asset disposal company, the disposal company will be considered a data processor. Because the data controller will bear the ultimate responsibility for any data that the asset disposal company does not delete successfully, the data controller should ensure that the asset disposal company provides sufficient guarantees of its security measures and, if possible, conduct a site assessment and audit of the asset disposal company. The relationship should be governed by a written contract containing the requisite data protection provisions, and the asset disposal process must be managed effectively through the use of inventories and regular monitoring and audits.
3. Assign an asset disposal champion: The Guidance states that a data controller should appoint a person responsible for asset disposal within its organization. That individual should be someone who has “a suitable level of authority, as security measures can become flawed and out of data very quickly, particularly if there is no accountability within an organization.” The Guidance suggests that an IT Security Manager may be suitable if one exists within the organization.