If your organisation processes personal data, you are responsible for doing so in line with the Data Protection Act 1998.
Processing, as defined in the Act, includes every aspect of collecting, storing, and modifying this data – and importantly for IT Asset Disposal, also includes destruction of this data.
As part of the 8 data protection principles that your organisation (the Data Controller) must comply with to protect client and individual data, there is an obligation to use ‘appropriate and technical organisational measures’ to protect personal information.
This means that your organisation retains liability for the information as well as full control over its use, even when a third party data processor (eg an IT Asset Disposal Company) does the processing step that relates to destruction of the data. Any data breaches that occur as a result of the IT Asset Retirement process are the Data Controllers responsibility and it is the Data Controller who will be investigated and fined by the ICO.
This liability highlights the importance of choosing an IT Disposal partner with great care.
The Information Commissioner’s Office (ICO) who are responsible for upholding the Data Protection Act has recognise IT Asset Disposal as a major area of weakness for many companies in terms of their data protection obligations.
As such, it recently produced guidance notes for organisations that can be found here.
In summary, the key steps recommended by the ICO to demonstrate ‘appropriate technical and organisational methods’, in terms of choosing and managing an IT Asset Disposal company are :
This can seem complicated, so to help, Re-Tek have created an interesting infographic about complying with data protection legislation in IT disposal, click the link to download: