Trash and the Data Protection Act

One change previously highlighted is the new requirement for all data processing carried out by third parties to be subject to a written contract, requiring the processor to take appropriate security measures against unauthorised or unlawful processing of the data.

Security is particularly important in the context of the destruction of data.  The Data Protection Act adopts a "cradle to grave" approach, and makes it clear that destruction falls within the definition of "processing".  There have been a number of well publicised horror stories of customers' records being found in rubbish bags outside banks - it would be difficult now to argue that this method of destruction of data is adequate to protect against unauthorised or unlawful processing, as the Act requires.

Are your procedures for destroying data sufficient to comply with the Act?
Organisations should bear in mind the following:

*  If disposing of manual records through a 'standard' refuse collection service, consider whether there is a need to shred the material first - bear in mind that even if the refuse collection service ultimately destroys the material (which it may not do in all cases - e.g. landfill), there will still be the possibility of an unauthorised or unlawful disclosure pending such destruction.  Alternatively, the refuse collection service should be contractually obliged to dispose of the material properly and take appropriate security measures pending its destruction.

*  If using a professional information destruction company, ensure that a written contract is put in place with that company, as required by the Act - this should oblige the destruction company to take appropriate security measures, and to act only on your instructions when destroying the data.

*  Take particular care when destroying computer equipment, as there have been a number of stories of information having been obtained from supposedly wiped hard drives.

Finally, note that these requirements apply to ALL personal data, whether electronic or manual, and regardless of when the records were first produced.
This document is for general guidance and research purposes only, and does not purport to give professional advice. Please check the date at the top of the article; the Workplace Law Network retains historic articles for general research.