Data Protection & Recycling Laws
Data Protection enforcement in the UK has never looked so intimidating!
What’s more is that coming months and years will see a much tougher regulatory environment than before.
Below is an overview of some of the data protection and environmental laws and regulations applicable to the UK with which our services can help you comply:
In 2010, the Data Protection Act was strengthened such that it now carries penalties such as those below:
- Fines of up to £500,000 for serious contraventions of the DPA
- Prison Sentences for deliberate or negligent customer data leaks by individuals within an organisation.
The ICO also has the statutory right to audit Government Departments.
Monetary Penalty Notices and the ICO’s Code
The DPA legislation updated in 2010 (section 55A, DPA) states that the ICO may serve a data controller with an MPN if satisfied that:
- there has been a serious contravention of the DPA and such contravention was of a kind likely to cause substantial damage or substantial distress; and
- it was either committed deliberately; or
- the data controller knew/ought to have known there was a risk that the contravention would occur and that it would be of a kind likely to cause substantial damage or substantial distress but failed to take reasonable preventative steps.
This places direct PERSONAL responsibility on many company directors and managers to ensure the proper destruction of data.
The Information Commissioners Office advises that as a Data Controller, “You…must comply with the Act from the moment you obtain the data until the time when the data has been returned, deleted or destroyed. Your duties extend to the way you dispose of personal data when you no longer need to keep it – you must dispose of the data securely and in a way which does not prejudice the interests of the individuals concerned.”
“Changes in an organisation’s circumstances do not reduce an individual’s rights under the Act. Even if an organisation goes out of business, individuals are still entitled to expect that their personal data will be processed in accordance with the data protection principles.”
Under the Act, a Data Controller is defined as any person “who decides how and why personal data is processed”.
The Data Processor is defined as the person uses the data in the manner determined by the Data Controller. E.g. the Data Processor works for the Data Controller. It is the latter who carries the responsibility under the Act.
Below are some examples of situations which clarify how data destruction responsibilities might fall.
DPA Example 1:
Organisation A engages Company B which provides business services to administer Organisation A’s employee payroll function. Organisation A also engages a marketing services firm, Partnership C, to carry out a satisfaction survey of its existing customers. Company B will need information about the Organisation A’s employees, and the Partnership C will need information about its customers. Both B and C will be processing the information on behalf of Organisation A, and so they are both Data Processors. Organisation A will be the Data Controller in this case.
However, If Company B also provides staff recruitment services to Organisation A, it will be the Data Controller with regards to the information about employment candidates that it collects and stores. Likewise, if Partnership C provides outsourced telemarketing services to A, and buys in mailing lists as part of the service, then it will be the Data Controller.
Finally, B and C will, as a matter of course, also be processing personal data about their own employees and, in respect of that personal data, they will be Data Controllers.
DPA Example 2:
A travel agency is run as a partnership by Mr A and Mr B. As a consequence of a downturn in business, the travel agency ceases trading abruptly. Its premises are locked up and its computers and hard disks (which contain customer information) lie idle. Mr A and Mr B remain responsible for ensuring that their customers’ personal data remains secure and that whatever happens to it complies with the Data Protection Act. This duty will continue even if the partnership is dissolved.
The planned implementation will place additional restrictions on disposal of data-bearing assets. Particular areas of relevance to data destruction are:
|Article 23||Privacy by Design and by Default requires that data protection is designed into the development of business processes for products and services.|
|Article 31||The Data Controller has to notify the ICO AND its customer and users without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach. (This carries a huge cost burden on the Data Controller in the event of a breach.)|
|Article 33||Data Protection Impact Assessments have to be conducted when specific risks occur to the rights and freedoms of data subjects.|
The following sanctions may be imposed:
- A warning in writing in cases of first and non-intentional non-compliance
- Regular periodic data protection audits
- A fine up to 100,000,000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater.
Firms have legal and regulatory responsibilities to safeguard their consumers’ data and the FCA require firms to have adequate systems and controls in place to discharge these responsibilities. The FCA recommends that computer hard drives and portable media being properly wiped (using specialist software) or destroyed as soon as they become obsolete.
They provide the following as examples of poor practice in disposal of customer data:
• Firms stockpiling obsolete computers and other portable media for too long and in
• Firms relying on others to erase or destroy their hard drives and other portable media securely without evidence that this has been done competently.
Many UK companies that operate in the United States fall under this act and should take steps to ensure compliance. The Sarbanes-Oxley Act makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal controls over financial reporting. This inevitably involves the IT department in auditing systems and data lifecycle management. Data destruction is a part of this. Data should be securely destroyed and records kept.
The PCI Security Standards (PCIDSS) Council obliges organisations which process credit card or electronic payment information to comply with the following security requirements to destroy media which is no longer required to be kept for commercial of legal reasons in one of the following:
- Shredding, incineration or, in the case of paper, pulping. This must make cardholder data stored on electronic media unrecoverable so that it cannot be reassembled
- Physical destruction of hard copy material should be confirmed to ensure it cannot be reconstituted
- Secure data wiping, degaussing or hard disc shredding should be utilized to verify that cardholder data has been effectively rendered
- Storage containers in which items are destroyed prior to destruction should be secure with a lock.
This places a duty of care on your organisation to ensure your redundant IT equipment is collected by a Licensed Waste Carrier who will take it to a licensed site for disposal, recycling or to be refurbished.
All IT equipment and other electrical items must be recycled in line with the standards specified in the WEEE Directive. You may be prosecuted if you fail to comply with the regulations.
The WEEE Directive governs the collection, recycling and recovery targets for all types of electrical goods.
Data Eliminate provides services which are compliant to:
Infosec Standard No. 5 for the secure erasure of data up to and including HMG RESTRICTED (Impact Level 3)
British Standard BS 8470:2006 Secure Destruction of Confidential Material