Who is responsible for your data?
It’s a good question. Ultimately
it is a business responsibility regulated by law under the data protection act
and once the EU gets around to it the responsibility will sit firmly with the
directors of the business. Even if they delegate it to someone else, they can
be sued, fined, jailed or even decapitated if Genghis Khan gets his hands on
them.
And that is in addition to fines
levied against the business.
I think that focuses the mind
quite nicely. Once this becomes law (and we are past the expected ratification
date, so any day now Mr Farage!) apathy is going to get quite dangerous, and
once the directors are firmly in the firing line things tend to get done.
But what things?
Obviously, here in eReco land, we
are going to focus on disposing of redundant IT equipment because that is our
wont. There are lots of other things to do but we aren’t directly involved in
that so yah boo sucks, sort it out yourselves.
So, you have a computer to get
rid of and it has a hard drive, what should you do?
In simple terms, you have two different
legal responsibilities.
Firstly to dispose of the
equipment according to WEEE regulations. Regardless of what you call it, or any
residual value, this is waste and whatever you do, you need to think about
waste transfer notes and how the item is going to get to a WEEE regulated
recycling facility. If you do not get a WTN you are breaking the law and if
your equipment does not go to a WEEE facility and ends up somewhere naughty,
you have also broken the law. So, if you give it to someone to dispose of for
you, make sure you get the right paperwork and be sure they are going to do
things properly. If not, those directors are in the firing line.
Secondly, you are responsible for
any data on any hard drive disposed of. There is no limit to that responsibility.
You remain responsible. Even if eReco collect it from you, the data is still
ultimately your responsibility. You would have to prove that you have engaged a
data secure service provider and that their processes met your duty of care to
protect your data.
If something went wrong and there
was a data breach, you would still be in hot water, because the data remains
yours, and you would need to prove to Genghis Khan, or our friendly
neighbourhood ICO Chris Graham, that you acted responsibly.
Now all eReco customers will have
no problem proving this. We provide Waste Transfer Notes, asset lists and
certificates of data destruction, and if something goes wrong we have liability
insurance up to £10,000,000. Our collections are secure, with security cleared
personnel, and our facility down here in East Grinstead is also secure. This is
certified and checked, without warning, by ADISA, and we are also approved by
DIPCOG to work in the MoD/Government space.
All of which the truly
responsible client will have checked out in advance. This is the important
stuff you see...you need to show due diligence. And then do you know what
actually keeps the MD out of choky? Yes that’s right, it’s the boring old
paperwork!
Say your data ends up on eBay.
This happens. A lot. So no pooh poohing me please. As General Melchet said in
Blackadder 4, ‘did he pooh pooh you Blackadder?” I won’t have it. This is
important stuff so no giggling at the back.
Once the data breach is crystal clear,
you are in deep doggy doo’s. Genghis, however he finds out about it (and he
will, because legally, if he doesn’t find out any other way, you have to tell
him or face even graver consequences) will start asking some difficult
questions. And the boring old paperwork which everyone takes for granted and
does not give too much importance, becomes absolutely crucial.
First things first, Genghis would
want to see what you asked us to collect. However you do it, by email or by
filling in one of our forms, we keep a record of what you asked us to collect.
This is important in a minute, so tuck it away at the back of your mind. Then
we give you an estimate, and you accept this estimate, and we confirm a
collection date.
On said date, we rock up and get
the stuff. We bring with us a Waste Transfer note, which says we collected this
sort of stuff from this address on said date.
Everyone signs and you get a copy. We also have consignment notes. This
details the sort of materials being transported, whether they are hazardous or
not, and gives full addresses and licenses for both parties. Not very
interesting but all legal proof and approval for what we are doing.
Then we bring the stuff back
here. We track it in, noting any serial numbers but also adding an identity
number of our own, so that we always know where it is in our system. From this
we produce an asset list. It should match the list you asked us to collect, of
course. If you asked us to collect 10 PC’s we tell you that we have collected
10 PC’s and the serial numbers are XXXXXX. You now have a comprehensive audit
trail of disposal from your request to us, through transportation by registered
and licensed supplier to arrival at a registered, accredited and approved
facility. In other words, you have proof of what you have done and Genghis
loosens his grip on your throat, for the time being at any rate.
But before we move on, a reality
check. I have said in previous blogs and always say to clients on the phone,
tell us if you have more to collect than you have said.
Partly this is because
we want to charge you more. I am just like that, I like to get paid. Partly it
is because I know what the vehicle can take in terms of weight and quantity of
stuff, and we don’t want to overload it. But mostly because it is dangerous if
you add something without telling us. Because the audit trail is potentially
broken. In our case, we would pick it up when we compile our asset list, but
legally PC XXX has magically left your care and arrived with us. You have not
asked us to take it. What if you do not even know it is gone? Genghis might
well slap you around a bit because of things like that.
However, let’s leave that side of
things and get back to business. So we have your stuff and you have an audit
trail which will be added to when we erase your hard drives and give you a
certificate to prove we did it. At this point you are pretty much done. You can
kneel before Genghis, carefully watching the scimitar in his hand and say ‘it
was them, Guv’ if anything goes Pete Tong. We would end up in the dock
together, because it’s still your data, but having employed a certified
supplier and ticked all the paperwork boxes, it would take a very unreasonable
Genghis to punish you, and our insurance would hopefully cough up.
Please note, this is all
hypothetical, we have never had a problem and, touch wood, never will. We do
things right. And going back to a well-worn theme of this blog, this is why we
charge for our services. Even if we do agree a kit covers costs deal, which we
do if you are recycling gold plated laptops, these costs are deducted before we
share any revenue with anyone. Because we think this is the really important
stuff. It’s the stuff that keeps your MD out of jail.
And you may think that is taking
things a bit far. But take a look at the ICO’s hall of shame when you have a
moment and imagine those breaches when director responsibility comes in. It is
very tempting to look at IT equipment recycling as a cost, but I have always
maintained that it is risk management.
Do it right, for your director’s
sake.
No comments:
Post a Comment