Friday, 1 June 2012

Destroy your hard drives

The UK Information Commissioner has fined a Hospital Trust £325,000 ($500,000) for not ensuring 1000 Hard Disk Drives were properly destroyed by one of its contractors (Sussex Health Informatics Service).  At least 252 of those drives went astray.

There's no excuse for this really. There are several good techniques to ensure the safe and complete destruction of data on hard drives. I'll happily advise any one who contacts me as to how this destruction can be done. From the BBC report it looks like one individual was not properly supervised and thought he could make a quick buck by selling rather than destroying the hard drives.

Businesses and other organisations have a legal responsibility to look after confidential data. If the personal information on those disks had leaked to the public domain it could done serious damage to those concerned. These types of cases will continue until the main Board of the organisation takes these privacy matters seriously and not treat it as an obscure technical matter. Break the rules and you can be fined up to £500,000. To be honest, fines will not fix the problem, the penalty should include a criminal record and a prison sentence of up to two years for negligent Directors.

Here's the 8 key principles by which the Information Commissioner can judge your organisation's processing of information, both electronic and on paper. They are based on the 1972 Younger report, it is not exactly a new concept.

Data must be Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

No comments:

Post a Comment