|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
DESTROYING DIGITAL DATA: WHAT ARE YOUR RESPONSIBILITIES?Source: PrivaTech ConsultingPosted on January 13, 2009 When it comes to electronic personal information and privacy, what is the responsible way to get rid of such information? The goal is effective destruction of the digital data such that personal information cannot be obtained or reconstructed. A popular opinion is that the BEST way to get rid of electronic data that one no longer wants to hold or that one is required by law not to hold (like irrelevant personal information), is to destroy the medium on which it is found. However, for the majority of organizations, this is a theoretical approach to a real problem. Unless you are in the unlikely situation where you have only information you need/want to get rid of on one particular medium, it is an impossible solution.Normally, we need to destroy certain information found in databases or,worst, in unstructured format such as MS Office, but not the whole database or document. Looking at the IT infrastructure of most organizations, even if youwere to destroy the initial medium on which the information was kept,you would only have a partial solution as the same information would befound on backup tapes/media, redundant servers, laptops, etc. A more practical approach would factor in the nature of the information,the context of its collection and use, the agreement and/or reasonable expectation of the party who gave the information, the media on which it is found and its security. Restoring supposedly-destroyed data does happen more often than is reported. Two of many examples: In 2003 Alberta's Privacy Commissioner released Investigation Report # H0252 which addressed the inadequate destruction of medical information from a computer that was ultimately resold. The information was readily available to be accessed by the next owner. Also in 2003, the Bank of Montreal's asset disposal contractor was contractually responsible for ensuring the hard drives were properly erased. Two Bank servers were to have been scrubbed but, thanks to an "operational error" they were offered for sale,and were sold, without having been wiped clean. The purchaser quickly discovered account information, names, SINs, and other sensitive personal information on the servers. The event was reported in the media. To claim that the low numbers of reported incidents is because there have been few incidents would be folly. It's clear that (a) people are reluctant to report and/or ignorant of what/where to report a suspected breach; and (b) many people simply do not recognize when a breach has occurred. Contributing to the problem is the frequent lack of coordination between operational network and local systems and back-up systems, and with hot/cold backup sites. Users might think they've deleted all information - without knowing that it's just been backed up to an offsite storage facility. Far less controlled is data on obsolete systems."E-cycling" roundups routinely receive computers that have not been wiped in any way. And these computer donors, who leave their personal information on machines they are getting rid of, are many of the same people who work in our governments and industries and are responsible for safeguarding sensitive information. Has any of them ever reported that information from the system they donated was used inappropriately? Would they even know? And without that knowledge, how would they be able to file a complaint to be investigated? Unfortunately, in government and private sector organizations across North America the level of ignorance about these issues continues to be extremely high - and therefore the risk to sensitive personal and corporate information continues to be high. And when the decision-makers in industry and government don't understand the fundamental issues, they don't take it seriously or give proper funding or support for document management programs, or training and awareness programs to increase knowledge and reduce the risk.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |