CALL US
0845 1234 400
107 Fleet St, London, EC4A 2AB

E-MAIL US
secure data destruction

hard drive and hard disk services

data destruction
data destruction
data destruction
Hard Drive Destruction
Wipe Hard Drive
WEEE recycling
Hard Drive Destruction
Data Loss Prevention
Information Security
ISO 27001 Blog
asset management
Partners
SyOP 7.13
London, UK

 

Data Protection & Recycling Laws

Below is an overview of some of the data protection and environmental laws and regulations applicable to the UK with which our services can help you comply:

UK Legislation Changes in 2010

Data Protection enforcement in the UK has never looked so intimidating! 2010 will see a much tougher regulatory environment than before.

The Information Commissioner's Office (ICO) are involved in two Government consultations which will see the introduction of new penalties, unlike any seen before, for breaches of the data protection act (DPA) 1998.

Penalties being finalised include:

  • Fines of up to £500,000 for serious contraventions of the DPA
  • Prison Sentences for deliberate or negligent customer data leaks by individuals within an organisation.

The ICO has recently acquired the statutory right to audit Government Departments.

Monetary Penalty Notices and the ICO's Draft Code

This power is expected to come into force in April 2010. The legislation (section 55A, DPA) states that the ICO may serve a data controller with an MPN if satisfied that:

  • there has been a serious contravention of the DPA and such contravention was of a kind likely to cause substantial damage or substantial distress; and
  • it was either committed deliberately; or
     
  • the data controller knew/ought to have known there was a risk that the contravention would occur and that it would be of a kind likely to cause substantial damage or substantial distress but failed to take reasonable preventative steps.

Data Protection Act 1998

This places direct PERSONAL responsibility on many company directors and managers to ensure the proper destruction of data.

The Information Commissioners Office advises that as a Data Controller, "You...must comply with the Act from the moment you obtain the data until the time when the data has been returned, deleted or destroyed. Your duties extend to the way you dispose of personal data when you no longer need to keep it – you must dispose of the data securely and in a way which does not prejudice the interests of the individuals concerned."

"Changes in an organisation’s circumstances do not reduce an individual’s rights under the Act. Even if an organisation goes out of business, individuals are still entitled to expect that their personal data will be processed in accordance with the data protection principles."

Under the Act, a Data Controller is defined as any person "who decides how and why personal data is processed".

The Data Processor is defined as the person uses the data in the manner determined by the Data Controller . Eg. the Data Processor works for the Data Controller. It is the latter who carries the responsibility under the Act..

Below are some examples of situations which clarify how data destruction responsibilities might fall.

DPA Example 1:

Organisation A engages Company B which provides business services to administer Organisation A's employee payroll function. Organisation A also engages a marketing services firm, Partnership C, to carry out a satisfaction survey of its existing customers. Company B will need information about the Organisation A ’s employees, and the Partnership C will need information about its customers. Both B and C will be processing the information on behalf of Organisation A, and so they are both Data Processors. Organisation A will be the Data Controller in this case.

However, If Company B also provides staff recruitment services to Organisation A, it will be the Data Controller with regards to the information about employment candidates that it collects and stores. Likewise, if Partnership C provides outsourced telemarketing services to A, and buys in mailing lists as part of the service, then it will be the Data Controller.

Finally, B and C will, as a matter of course, also be processing personal data about their own employees and, in respect of that personal data, they will be Data Controllers.

DPA Example 2:

A travel agency is run as a partnership by Mr A and Mr B. As a consequence of a downturn in business, the travel agency ceases trading abruptly. Its premises are locked up and its computers and hard disks (which contain customer information) lie idle. Mr A and Mr B remain responsible for ensuring that their customers’ personal data remains secure and that whatever happens to it complies with the Data Protection Act. This duty will continue even if the partnership is dissolved.

 

Financial Services Authority

The FSA’s Principle for Business No 3 states that “a firm  or organisation must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”.  This can be applied to the organisation’s data protection obligations.  

In the years between 2004 and 2008, the FSA levied fines of approximately £1.8 million in relation to lapses in data security. This rose to £3 million in one year during 2009.

 

Sarbanes-Oxley Act

Many UK companies that operate in the United States fall under this act and should take steps to ensure compliance. The Sarbanes-Oxley Act makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal controls over financial reporting. This inevitably involves the IT department in auditing systems and data lifecycle management. Data destruction is a part of this. Data should be securely destroyed and records kept.



The Environment Act

This places a duty of care on your organisation to ensure your redundant IT equipment is collected by a Licensed Waste Carrier who will take it to a licensed site for disposal, recycling or to be refurbished.

 

Waste, Electronic & Electrical Equipment Directive (WEEE)

All IT equipment and other electrical items must be recycled in line with the standards specified in the WEEE Directive. You may be prosecuted if you fail to comply with the regulations.

 

Basel Convention

Forbids the export outside the OECD of redundant computer equipment which may be hazardous . There is a significant black market in ‘dumping’ used IT equipment in places such as east Africa.

 

Data Eliminate provides services which are compliant to:

 

by shredding hard drives!

 

Local Government Association
All personal information should be securely destroyed  electronic media by overwriting, erasure or degaussing for reuse. This is in accordance with government guidelines. Where possible, a CCTM approved product or service should be used.

SOCITM, Data Handling Guidelines for Local Authorities

 
 

contact us I terms of use I site map

The company is registered in England No: 06476020 at 53 Balham Grove, London
SW12 8AZ ©Copyright 2009-2010 Data Eliminate. All rights reserved.