On the back of countless stories in the news, the issue of data security is a hot topic at the moment. In the UK’s public sector, the need for organisations to tighten up on their policies is particularly pressing.
In the course of the past few months the Information Commissioner’s Office (ICO) has been clamping down heavily on breaches of sensitive data, resulting in some significant fines being levied against offenders.
In light of these developments, the ICO has issued guidance that organisations should have a policy in place for the disposal of their IT equipment. The wording states that organisations should be careful that they “don’t overlook asset disposal – if you use a contractor to erase data and dispose of or recycle your IT equipment, make sure they do it adequately. You may be held responsible if personal data gathered by you is extracted from your old IT equipment when it is resold.”
One area of the public sector that has to cope with the aforementioned adverse publicity lately has been the NHS. The most recent example of this is the case of Brighton and Sussex University Hospitals NHS Trust, who have been served with a record fine of £325,000 by the ICO. This was a consequence of sensitive data on hard drives not being securely destroyed, with hard drives containing this information being sold to the general public on an internet auction site.
It’s a difficult time for NHS IT Directors, with average predicted IT spending cuts of 10% in 2012, rising to 12% each year after until 2015. Against this background, it is vital that NHS Trusts put into place firm policies which will help them avoid significant ICO fines that they can scarcely afford to pay. Stringent policies are mostly already in place for how NHS bodies handle sensitive data while their IT equipment is in use, and applying the same strict procedures to data when disposing of old computers should be common practice.
Where NHS organisations lack the expertise to destroy data in-house – with reducing IT budgets this will likely become the norm – it is crucial they seek to employ the services of a trusted third party. Often these companies will be able to perform data destruction services onsite, thus eliminating any concerns over what happens when old hard drives leave NHS premises. These companies should also provide full certification of the process with details of hard drives destroyed by serial number.
Inaction on data destruction is no longer an option, and a shift towards stronger policies will not only help NHS Trusts comply with ICO guidelines, but also serve to protect the confidential details of patients falling into the wrong hands.