Data disposal not up to scratch

Businesses are putting customers' privacy at risk by failing to properly erase sensitive data before disposing of PCs, the Information Commissioner's Office (ICO) has warned.

Companies that only erase data or format the disk on a PC before disposing of it are breaking the Data Protection Act, the ICO said, as this procedure can leave data on the disk surface.

The warning from the ICO follows research from Lenovo which found that of 300 UK businesses surveyed nearly one-third admitted to disposing of PCs containing sensitive data without securely deleting it.

This ranged from old emails containing customers' confidential legal details and financial information such as credit card numbers and personal banking information.

Lenovo said only a fifth of businesses had policies in place to prevent employees storing and retaining such information or offered training on how to dispose of data correctly.

The ICO said this was “unacceptable”, with a representative telling Computeractive: “It is essential that companies have appropriate procedures in place to ensure that personal records on computer hard drives are rendered unrecoverable when they dispose of computer equipment.”

The ICO warned companies hoarding such information could land themselves in hot water. “Under the Data Protection Act companies have a duty to store personal information securely and delete it when it is no longer required."

Jemma Smith, spokeswoman for the UK Payments association, APACS, agreed: “Under the Data Protection Act and Banking Code, businesses are not allowed to hold onto certain financial information.

"This includes the three digit security number on the back of a card used for non face-to-face transactions and the account number.

“Scheme rules mean that if a business or retailer is found to store these then they could have card payment options taken away from them. They could also be prosecuted by the ICO for breaking the Data Protection Act.”

Smith also moved to reassure the public that while most of the unwiped data on PCs including financial information would not lead to ID theft on its own.

“Whilst it is not good news that companies are being careless with customer information, what we must remember is that a credit card number or an address alone are unlikely to lead to ID theft. Much more is needed,” she told Computertactive.

As well as advising businesses to begin to educate their staff on the importance of data wiping, she also outlined precautions the public could take to ensure that they stayed safe.

If you intend to discard an old PC and do not want to risk your data being exposed, follow our free guide to securely deleting data from a hard disk .