Securing your data

The Weee directive will see an increase in the collection of discarded computers. But what about the data stored on them? Graham Davy examines the implications

With the recent story of end-of-life computers from the UK being found in Nigeria with hard drives full of sensitive data, the issue of secure destruction has come to the fore of people’s thinking.

Despite reuse being held as the ideal under the Weee directive, the trend at the moment in industry is towards destruction and material recovery, which are seen very much as the most secure option.

As a general rule, many reputable organisations are able to offer a data wipe service to a standard that guarantees complete clearing of the hard drive. The obvious advantage of this route is that it allows reuse of a computer, or server, within the company or sold into an external reputable market. For instance, an older server could have extra memory fitted before being redeployed in the same business saving the need for new investment in lower-spec servers. But some institutions that deal with particularly sensitive data have to pursue the total destruction route because of the nature of the information held on a server or hard disk.

So, what should people be looking for when it comes to secure data destruction? The first point to note is that security of information is vital and its removal must be provable. It would be difficult to exaggerate the potential damage that could be caused to any number of businesses if sensitive information were to find its way into the public domain. Although responsible companies will do their utmost to remove data before allowing computers out of their control, a second check by a specialised company will bring increased comfort.

Security starts the moment the server is unplugged, and before it leaves the building. Companies should make sure that their reprocessing partner uses secure transport, including specialised containers. The onward journey of Weee, before it is processed, should always be completed on the same day, without overnight stops. If the information is particularly sensitive, the journey’s key moments, such as the start and the end, should be able to be witnessed by the client. The processing facility that they arrive at should be secure, and able to offer a witnessed destruction-on-arrival service.

The processing facility should offer complete hardware destruction, which is often favourable over processes like eventual data wiping, which can be time consuming and have risks. But there should also be the option from a reprocessor of wiping data from machines at a client’s facility, prior to transport for destruction. One step on from this, some companies may need to witness the physical destruction of units for themselves – and a reprocessing partner should be able to facilitate this.

Companies should also look at the destruction process used by potential reprocessing partners. Good processors should be able to offer a final granulation of material to pieces as small as six millimetres in size for when security is even more vital. Again, if it is warranted by the client, the customer should be able to witness destruction at first hand or receive suitable evidence, such as photographs or film footage of the server’s demise. Finally, all computer waste emanating from the process should be disposed of in accordance with the criteria laid down in the legislation.

Graham Davy is managing director of Sims Recycling Solutions

Action inspires action. Stay ahead of the curve with sustainability and energy newsletters from edie