Sensitive company data: a WEEE word to the wise

On 25 July the Government launched a public consultation on, and announced an implementation date of 1 July 2007 for, the much-delayed EC Directive on Waste Electrical and Electronic Equipment (WEEE).

This will mean that from 1 July 2007, the law requires producers of electrical equipment to bear the main burden of legal responsibility for the collection, treatment and recovery of any new PCs or IT equipment that personal users or businesses purchase.

Once the Regulations come into force, as a business user of IT equipment, you will be legally responsible for the collection, treatment and recovery of all PCs purchased before the implementation date, unless you are buying new PCs to replace old ones on a like-for-like basis.

If you are replacing old PCs with new equipment, manufacturers and resellers are required by the new law to take responsibility for the costs of collection, treatment and recovery of any equipment being replaced on a like-for-like basis. This could be through an number of ways such as: the consumer can bring back the old item to the point of sale if there is not a delivery service; the consumer can expect the retailer to arrange the take back of the old item from their premises if they deliver the new item; or the retailer can arrange an alternative method of take back, through a third party agreement, but this method must not make it harder for the consumer to return the product.

Where you are responsible for the collection, treatment and recovery of redundant PCs and other IT equipment you will also be responsible for reporting evidence to show that they have been disposed of in accordance with the new law. Disposal of these machines should be able to be done through Designated Collection Facilities, probably at council run tips, where they will then be recycled. Alternatively businesses could choose to reuse machines by giving them to employees, local schools etc. or donating them to charities such as Computer Aid International, which sends the computers for use in developing countries.

One of the benefits of using a charity such as Computer Aid is that the organisation will provide you with a certificate to say you are in full compliance with the legislation; it will also wipe the computers hard drive for you so there is no risk of sensitive data falling into the wrong hands.

Many companies are guilty of not effectively wiping computer hard drives before they dispose of, however that may be, computers. As a single hard drive can have thousands upon thousands of pages of personal information this can have serious consequences.

According to the Environment Agency roughly 23,000 tonnes of electronic waste, the equivalent of about 750,000 computers is flooding out of the UK and into the developing world every year. A recent BBC Real Story highlighted the fact that these computers often end up in computer markets in cities such as Lagos, Nigeria. The problem comes when hard drives have not been adequately wiped and then fall into the hands of someone criminally minded.

It is not just computers sent abroad that can cause a problem, any computers which are passed on without first having all their data wiped pose the same risk. In 2005 a study by the University of Glamorgan examined 92 second-hand computers acquired from a variety of sources, including eBay and computer fairs, and set to find out how much data could be recovered from the hard drives. The researchers had no prior knowledge of where the disks had been purchased or what was on each disk.

Of the computers they studied the researchers found that 57% of the hard drives contained information from which organisations could be identified; 53% contained identifiable usernames; 51% contained personal information including complete databases of customer information, and employee information including their names, addresses, contact details and their national insurance numbers; and 20% contained financial information relating to the organisations, including sales receipts and profit and loss reports.

The storage and disposal of information has become an increasingly sensitive issue since the Data Protection Act 1998 and the Human Rights Act 1998 both came into force in 2000. Any material containing personal data such as names, addresses or financial and legal details must be completely destroyed when disposed of.

Under the Data Protection Act, businesses must have a data control policy to ensure that secure methods are used to prevent the unlawful disclosure or accidental loss of personal data. A data controller is legally responsible for any data until it has been destroyed.

Ths means its is vital that, before disposing of computers in any way, businesses ensure that the hard drives are completely wiped either by using specialist software, giving the job to specialist companies or by using a charity such as Computer Aid.

Original text is here