As our clients will know, we are very proud to have attained ADISA accreditation last year, probably the most stringent set of standards in IT asset disposal worldwide. ADISA not only randomly and exhaustively audit those they certify. They also study attitudes and behaviours in the market. Steve Mellings, a co-founder of ADISA, recently shared some of their findings, and they made for interesting reading so we thought we’d pass them on…
ADISA regularly uses the Freedom of Information Act to gauge how the UK public sector operates within the area of IT asset disposal. The latest of these shows evidence that a high proportion of responders are in fact currently breaking the Data Protection (DP) Act 1998.
Focusing on a group made up of councils, NHS trusts and police forces, ADISA asked 4 questions relating to an awareness of the Information Commissioner’s Office guidance notes and how the responders complied with these and the strict letter of the DP.
The DP’s interpretation of the 7th Data Protection Principle (relating to security) requires that where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must, in order to comply with the 7th principle:
a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out
b) take reasonable steps to ensure compliance with those measures.
Where processing of personal data is carried out by a data processor (that’s us) on behalf of a data controller (like you), the data controller is not to be regarded as complying with the 7th principle unless:
a) the processing is carried out under a contract –
(i) which is made or evidenced in writing and,
(ii) under which the data processor is to act only on instructions from the data controller
b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the 7th principle.
What this essentially means is that any asset disposal company who performs data sanitisation services is classed as a data processor (as per the ICO asset disposal guidance notes) and therefore data controllers need to comply with the above requirements under the 7th Principle when using those companies.
Unfortunately, many of the organisations that responded to ADISA’s questions aren’t meeting this legal requirement…
1. “Is the person responsible for ICT Disposal aware of the Information Commissioner’s Guidance notes for IT Asset Disposal?”
88% replied yes. This is a control question to gauge understanding, but the high score is good news. Provided these guidance notes are being read, of course…
2. “Do you currently have an IT asset disposal policy?”
81% of organisations surveyed said they did. A key principle in the ICO guidance notes is the concept of organisational control and a starting policy is necessary. Again, this score is good, provided these policies are fit for purpose and being adhered to.
3. Do you have a contract in place with your service provider?
62% of councils said yes. Not so good. 38% don’t have a contract, and this requirement is explicitly listed within the DP, as we’ve seen. So essentially, this 38% are not currently meeting their regulatory requirement.
4. When did you last audit your partner?
There is a key requirement for data controller’s to take “reasonable steps to ensure compliance with their security measures.” In past penalty charge notices the ICO has defined “reasonable steps” as including an audit profile.
Only 26% said they had done so in the last year, and surprisingly, 42% of respondents had NEVER audited their data processor. 8% of police forces (for example) said they relied on ADISA audits, so its just as well they run a monitoring service which offers a quick fix for those who aren’t able to audit their own partners.
By failing to audit their partners they aren’t taking “reasonable steps” should a data breach occur. Of course it’s difficult to keep up with ever increasing regulatory demands, but it would seem some organisations haven’t even made a start when it comes to asset disposal. Data processing service providers are not selected with due diligence and too often the cheapest bid wins the contract. If firewalls and anti-virus solutions were selected in the same way it would be a national scandal, so why is the final part of the data protection process ignored?
We’re here to support our clients, if they let us. Many of the processes within the ADISA certification scheme exist to help data processors help data controllers meet their regulatory obligations.
Take a minute to review how you handle asset disposal. If ADISA’s survey results are anything to go by, you might be breaking the law.
With thanks to Steve Mellings, ADISA
To find out how BLACKMORE RICOTECH can manage your secure IT disposal, get in touch. Call 0800 880 3678 today
If you would like to be kept up to date with changes to Data Protection or WEEE legislation, together with other important information that could affect your business, why not subscribe to our newsletter service? Rest assured, we will not share your information with anyone else and you can unsubscribe at any time. To stay informed, simply enter your email address and click the SUBSCRIBE button.