Wednesday, 15 April 2015

The Proof is in the Filing Cabinet

Every job has its little nuances that no one else is aware of. Little tricks of the trade, or the thing that no one outside of the specialism has ever thought of. For most of us, those are the little stories we love to tell at parties, to impress complete strangers, just before their eyes glaze over and they make an excuse to escape to the loo.

Most jobs are boring of course. Most of the time. There are always bits that we enjoy more than others and sometimes bits that we actively like, but the reality is that most of our lives are mundane and not worth repeating to anyone. Unfortunately, as the devil is always in the detail, it is these extremely boring things which can often get us in the most trouble.

The paperwork trail is a prime example. I shall exaggerate a little here, but the of two million forms I have filled out in my long life only about ten percent were ever read, let alone put to any good use. I am sure I have wasted about a year of my time filling out things no one else will ever refer to again just to fill a filing cabinet that is probably still in storage somewhere, waiting for the statute of limitations to pass by.

The IT recycling sector can drown you in paperwork. There are certificates and processes and lists and forms that you can read until your eyes bleed, and do you know what? The vast majority just get filed away and never see the light of day again.

Why, I hear you ask? Because data security during asset disposal is all about risk management, and the paperwork is your defence, milord. The stuff eReco provides for you during the process, the waste transfer note, the asset list and finally the certificate of data destruction, are only worth their weight in gold when something goes a bit wrong. It is then, when Genghis Khan (our friendly neighbourhood Information Commissioner) is just preparing to torture your first born, that you whip them out and prove that you did everything right.

Which is why any sane individual disposing of a data-bearing device would worry about the paperwork and the little details contained therein. I know I have managed to write over 100 blogs thus far on this stuff, and I know there are a lot of details, but to simplify it down to the bare bones what you need to do is cover your backside, if you are worried about getting a sharp kick at some stage.

Some people do not worry. Many of those do not appreciate the risks...the £500k fine, the prison sentence...because either they don’t understand the risks or they take the view that they are not going to get caught. Now I understand that. It is a bit like speeding in that regard, the vast majority of times you will get away with it. I don’t speed as much as I used to, because actually the risks of getting caught have increased, what with more speed cameras being about, and because I am more risk adverse these days.

Risk management, therefore, at least in this case, is about the paperwork. That the paperwork is the proof of the excellent ethical and data safe job we do is almost by the by. And yet again the quality of the paperwork is paramount.

For instance, you have a certificate of data destruction for a list of assets, identified by serial number don’t you? I do hope you do, because otherwise you are not even on the first rung of the risk management ladder.  Our certs state the software used (Infosec 5 of course) and will satisfy Genghis Khan that you have done all you could. The hordes will return to barracks without your blood on their hands.

But what if the certificates you have do not say how the data was erased? Or they say a lower level of software was used? Or one hard drive off your asset list does not appear, because it went missing somewhere? Genghis will be sharpening the gutting knives...

My party piece revolves around legal documents spewing out of old printers we mend or what we can recover from a hard drive after low-level erasure. I thus have few friends and rarely get invited to parties! Doing things properly costs a bit more. It is actually a bit boring as well. Sometimes we all stop and read the health and safety legislation for some light relief. But what we are doing matters.

The stuff in the file is important, so is what we do to create that paperwork but you never get to see or file that for posterity. We are battling for a sustainable world where our personal data remains private. We are eco data warriors!

Put it like that and we are not so dull after all...