Data Protection and the Disposal of Old Equipment

November 1, 2002

The 5th Data Protection Principle (Data Protection Act 1998 Sch 1 Part I para 5) states that:

Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes.

Much of the discussion has been about the disposal of the records themselves after fulfilment of whatever purpose they were collected for in the first place. But not only must there be a clear policy about disposal of old records and files, there must no less certainly be a policy about disposal of old equipment. Information which has been used on a personal computer will usually still reside for some time afterwards on the disk or in cache memory – a fact which has proved particularly useful to the police when investigating computer pornography and other offences. Therefore, unless the computer is to be disposed of by total and irreversible physical destruction, all personal data (and for that matter all other data) must be erased. There is also a practical need to delete all software since, except in very unusual circumstances, the licence granted to the organisation by the owner of the software to use that software is not transferable.

In the early days of PCs it was all too easy to reconfigure the hard disk thereby erasing everything from the computer – a mistake positively encouraged by the fact that different manufacturers called the hard disk A:/ rather than C:/ ! Now there are programs which purport expressly to delete files in such a way that they are impossible to resurrect and such a system might be used, provided the data controller has satisfied himself that the manufacturer’s claim to total destruction is justified – ie that cache memory is erased as well. Destruction, whether physically of the computer itself or by software of the data upon it, should be performed by the data controller before the equipment is removed.

An alternative to in-house destruction is donating the equipment to a charity – often a school, especially in a third-world country. This is an attractive option promoted by (no doubt there are others) Computer Aid International (www.computer-aid.org) who are understandably appalled at the waste in simply destroying equipment which still has many years’ life left in it. They undertake to wipe the hard disk completely, offer to take full legal responsibility for this and will then reconfigure the computer for the new recipients. The charity’s offer to take full legal responsibility might deal with the lack of transferability of the software. But if you hand the equipment with one or more personal files over to Computer Aid International or some similar body for them to destroy the file, even though they take legal responsibility, it seems to me that they will become a data processor within the meaning of the Data Protection Act (“processing” includes “erasure or destruction”: (s. 1(1)), acting on behalf of you as data controller. Therefore you still retain legal responsibility under the 7th Principle to ensure that the data processing contract and its operation comply fully with the appropriate technical and organisational measures against unauthorised or unlawful processing of personal data required by that Principle (Sch 1, Part II, paras 9-12 give the detail of this).

Another alternative may soon be that of returning the equipment to the manufacturer. This is being promoted by the EU’s proposed Waste Electrical and Electronic Equipment Directive. The basis of this is the damage which uncontrolled disposal can do to the environment and a desire to encourage manufacturers to recycle and reuse materials wherever possible. If and when the Directive is approved and enshrined in our law, it will be illegal simply to destroy equipment. Instead (as the proposal now stands), we shall be able to return equipment free to the manufacturer. It has to be admitted first that, though it may in the long run encourage manufacturers to look for better ways of using recyclable materials, the proposed Directive must in the short term push prices up. Secondly, the well-publicised difficulties in implementing the existing regulation on the disposal of refrigerators (Ozone Depleting Substance Regulation 2037/2000) shows that passing such legalisation without the structure to give effect to it can be a largely fruitless exercise.

However even when the Waste Electrical and Electronic Equipment Directive is in force, it still seems likely that whoever finally destroys the data will be the data processor and the original data controller will have full responsibility for the destruction of all personal data (and software) on such a computer before handing it back to the manufacturer.