Most information and the media it is held on has a finite term of usefulness. Dealing with the data will be covered within the organisation’s defensible disposal strategy. The actual physical media has to be dealt with in the same professional and consistent manner. At the Data Centre level, there will be strict retirement policies but most media is used directly by office staff and they must understand how they can dispose of the media.
What are the risks?
In the past, disposal of media consisted of throwing it in the nearest bin but this is no longer an option for most organisations.
Information access
Like information held in any other format, information held on local hard drives, CDs, DVDs even floppy disks has to be accessible to the organisation. That information may be needed as part of a litigation procedure or simply be of value to people within the business.
Security of data
Compliance with financial, data security and data protection regulations all require that information, whether it is personal, organisational or financial, is held and disposed of securely. This is of particular relevance to for Government, Health and Financial Services organisations for the protection of confidential, personal or sensitive information.
Environmental protection issues
In the past magnetic media was dumped in landfill sites along with household and general rubbish. However it was quickly realised that magnetic media does not break down and decay. It is no longer lawful to dispose of magnetic media in this way.
What should an organisation do?
The first part of a media disposal strategy is to ensure that all the information on the media is identifiable, accessible and searchable in line with wider Information Governance policy. It must be available for legal hold and defensible disposal. Once it has been decided that the information or storage media is no longer needed then there are different ways to securely dispose of these, depending on the media type:
Hard disk drive
Whilst files are ‘deleted’ from the hard drive on a computer, the files are not actually physically destroyed and could still be accessible using widely available data retrieval software. This only matters at the point where the computer has become obsolete and will no longer be used, or ownership of the equipment is being transferred outside the organisation. The data will have to be completely removed via the IT department or by a reputable third party service provider. If this service is outsourced, then the provider should issue a certificate to verify that the data removal has been completed. If the computer is likely to be reused, then further consideration must also be given to the licensing of any software that may still reside on the computer.
CDs/DVDs
Some CDs and DVDs can only be written to once; others may be rewritable. In either case, in order to be sure that the data is adequately protected, the best method for disposal of these disks is to physically destroy them. Breaking the disks into pieces and disposing of them as normal waste is suitable for non-sensitive data. Alternatively, an organisation may employ specialist services for disposal of this media.
Floppy disks and magnetic tape
Whilst the disks and tapes can be reformatted or erased, there still remains the possibility that data could be retrieved from the disk. The safest option for the protection of any confidential or sensitive information is to physically destroy it. This should follow the same process as for CD/DVDs.
USB memory sticks
These data storage devices may have a useful lifespan of several years. However if a stick is no longer being used and needs to be disposed of, and there is the possibility that it may have been used for the storage of any confidential or sensitive information, then physical destruction of the device is the safest way to guarantee that recovery of any data is impossible.
Paper
For many organisations, the storage and disposal of paper documents will be the responsibility of Records Management. However, business people should also understand how to properly dispose of their documents. Traditionally, disposal of paper records has consisted of simple vertical shredding. However, this method is not suitable for confidential or restricted information. A cross-cut shredder is more effective for particularly sensitive documents or incineration. Again, specialist services may be employed, but these service providers must issue a certificate of destruction. A simple rule for paper documents is, if in doubt, shred it.
Checklist
- Dispose of media in accordance with your organisation’s policy on records management and information security
- Consider the content of the media being disposed of to determine whether it is of a confidential or sensitive nature, and use an appropriate disposal method
- Don’t destroy the only copy of a record if it is not yet due for disposal under your organisation’s records retention guidelines
- Keep a log of all media that may contain sensitive information; update the log with removal or destruction certificates with the date of disposal
- Don’t discard media in the office waste without due care and attention to its contents and environmental implications
- Obtain certificates of destruction for media disposed of using specialist services