Written By Ruth Promislow
The disposal of hardware in the wrong manner can leave an organization offside its regulatory obligations under privacy legislation. Depending on the residence of the individuals or entities whose personal data is stored by organizations, improper disposal of hardware storage devices may be offside of regulatory obligations in several countries.
Morgan Stanley recently agreed to pay US$35 million to the U.S. Securities and Exchange Commission (SEC) further to an inquiry by the SEC regarding the alleged improper removal of computer devices from the Morgan Stanley offices. The SEC alleged that the company hired a moving and storage company with no expertise in data protection to decommission thousands of servers and hard drives. The SEC further alleged that the moving company sold those devices, which included the personal identifying information of millions of customers. Morgan Stanley has not admitted the allegations.
This case raises an important risk which is often overlooked. Hardware used by an organization typically contains substantial amounts of personal and confidential information. If not wiped properly, that information can be subject to unauthorized access. If an organization outsources the task of removal and destruction without taking the appropriate steps, that organization is exposed.
Typically the manner in which hardware is disposed of by an organization is left to the IT department. However, the risks inherent in this exercise call for management oversight on how this task will be carried out, including for example the vetting of third-party suppliers who may be retained to dispose of the equipment, contractual obligations and indemnity terms in the agreement with those suppliers, and limitations on the supplier's ability to outsource its obligations.
The Office of the Privacy Commissioner of Canada (OPC) recommends the following (among other things) in its guidance document entitled Personal Information Retention and Disposal: Principles and Best Practices:
- Personal information must be securely destroyed or removed before disposing of hardware that contains such information.
- If the organization has to dispose of electronics, it should have a designated person responsible for arranging appropriate data destruction and instruct employees to direct all electronic material and devices to that person.
- An organization should carefully assess the respective risks and benefits of destroying personal information on-site or off-site.
- When considering using a third party to dispose of personal information, an organization should take into account the sensitive nature of the personal information and take commensurate steps to manage the risks accordingly.
- An organization should ensure that the third-party contractor has verifiable credentials and can guarantee both a secure transfer of records from the organization's office to their own destruction facility, and a secure destruction method that matches the media and information security.
- If an organization decides to contract out, it should keep in mind that it remains responsible for the information to be disposed of. Best practices when dealing with third parties include:
- privacy protection clauses in contracts to ensure that third parties to which personal information is transferred for processing (and any possible subcontractors) provide the same level of protection under the law as your organization does; and
- monitoring and auditing clauses to ensure track record and quality control.
Privacy and confidentiality issues require careful planning and consideration at every step of the data life cycle, from collection to disposal. The consequences of failing to do can be significant.
The Bennett Jones Privacy and Data Protection group would be pleased to assist you with any questions you may have.