Since the introduction in the UK of the Data Protection Act in 2000, the responsibilities of companies relating to the destruction of confidential data have become more stringent.Organisations must destroy, under secure conditions, any data containing personal information including names, addresses, financial and legal details. The Act covers information held in manual files, as well as information held on computers and portable media. Every company must have a data control policy.
This has implications not only for the disposal of office bin waste, but also for the disposal of obsolete computer equipment, including portable media. Regular readers of this blog will be aware that reformatting storage media does not permanently erase data.
Failure to comply with the Act may result in heavy fines, even if the loss of data occurs through theft. In February of this year the financial regulator fined Nationwide Building Society almost £1m following the theft of a laptop from an employee's home last year. The computer contained confidential customer information and may have put millions at risk of identity theft. The Financial Services Authority said Nationwide did not have adequate security procedures in place and was critical of the time it took to investigate.
For advice on how to reduce your exposure click on the following link to download the Information Security Now publication, and navigate to page 11.
