The Data Protection Act (1998) outlines a number of duties and responsibilities when working with, and storing personal data. This information could relate to employees or customers – as a “data controller” your business is expected to safeguard all information from loss, theft or accidental exposure.
Most businesses understand the importance of data security, and employ measures like network perimeter firewalls and antivirus software to keep information safe whilst in use. But your responsibilities don’t end once you have finished using personal data – the DPA requires you to protect that information right up to the point that it is destroyed.
Safe hardware disposal
Eventually your computers will reach the point where they are no longer fit for purpose and need to be disposed of. If the hardware is too old, you may choose to send it for WEEE certified recycling. Where there is some residual value, you could instead try and resell the hardware, recouping some of your capital spend in the process.
Whichever you choose, you must ensure that all data has been erased from the systems before it is released. Memory cards, hard drives and any other media used to save data must be entirely cleared of data.
When deleted isn’t deleted
Deleting data does not place it beyond recovery, even if you empty the recycle bin. Using basic, inexpensive tools, cybercriminals can easily recover deleted files – even if you format the drive.
The problem lies in the way that files are typically deleted on computers. Rather than physically removing files, the computer marks them ready for overwriting – everything is still there, just hidden from your operating system.
How to delete securely
There are two ways to prevent data from being recovered:
- Overwrite the drive completely.
- Physically destroy the drive.
The cheapest way to permanently delete files is to delete them, and then use a tool to completely overwrite the disk – preferably multiple times. These applications tend to be relatively cheap, albeit slow, as they overwrite every sector of the disk. They do however allow you to resell the disk, safe in the knowledge that personal data is unrecoverable.
The second option is to physically destroy the media. You could disassemble each drive and scrape the disk platters inside, but this is time consuming and may still leave some files intact. Instead a degaussing unit can be used to destroy the disk; a very strong magnetic field disrupts the disk platters, rendering them completely useless in around four seconds. Obviously, once destroyed, the disk cannot be sold or used again.
How you delete personal data is down to your company’s capabilities and budget. The one thing to remember is that you must ensure that personal data is completely unrecoverable before disposing of computer hardware. For more advice about secure file deletion as part of general business IT security, or for help with sourcing new IT hardware or software when you need replacements, please get in touch with our expert team in Birmingham, Bristol, London, Manchester, Oxford, Peterborough, Swindon or Thames Valley!