Data Protection Act 1998
The Data Protection act of 1998 puts a further legal obligation on companies with respect to disposing of IT Equipment.
If your organisation processes personal data, you are responsible for doing so in line with the Data Protection Act 1998. Processing, as defined in the Act, includes every aspect of collecting, storing, and modifying this data – and importantly for IT Asset Disposal, also includes destruction of this data.
As part of the 8 data protection principles that your organisation (the Data Controller) must comply with to protect client and individual data, there is an obligation to use ‘appropriate and technical organisational measures’ to protect personal information.
This means that your organisation retains liability for the information as well as full control over its use, even when a third party data processor (eg an IT Asset Disposal Company) does the processing step that relates to destruction of the data. Any data breaches that occur as a result of the IT Asset Retirement process are the Data Controllers responsibility and it is the Data Controller who will be investigated and fined by the ICO.
This liability highlights the importance of choosing an IT Disposal partner with great care.
The Information Commissioner’s Office (ICO) who are responsible for upholding the Data Protection Act has recognise IT Asset Disposal as a major area of weakness for many companies in terms of their data protection obligations. As such, it recently produced guidance notes for organisations that can be found here.
In summary, the key steps recommended by the ICO to demonstrate ‘appropriate technical and organisational methods’, in choosing and managing an IT Asset Disposal company are :
- Create an IT Asset Disposal Strategy
- Assign an Asset Disposal Champion
- Select an IT Asset Disposal Company that can demonstrate its ability to ensure security
- Draw up a contract with the Disposal Company that defines obligations
- Regularly audit their services