Doing Porridge for your Data?

During an election campaign it is probably natural to ask ourselves what a government is for? And the answer is to govern...to conduct the policy, actions and affairs of a state, organisation or people with authority...to quote a dictionary definition. Obviously quite a complicated business but when it comes down to it I believe it amounts to setting boundaries.

That is what laws are. You can do this but you cannot do that, and if you do we will punish you. In an ideal world, any government’s legislation should leave its people in no doubt as to how they are expected to behave, everything should be black and white, and we should therefore understand the consequences of our actions.

Data security is regulated but the legal boundaries are anything but clear. Not to the vast majority of people. If you sat your average business manager in a room and asked him what he was supposed to do with the data within his control, he would not have a clue.

To a certain extent that is our own fault. Not many people have ‘check the data protection act and how it applies to my role’ on their to-do list. But they should of course. It would make things so much easier in the long run, especially if the information available was written so that anyone not related to Steven Hawking had a chance of understanding it.

Here’s a thing. An example of what I mean. When you dispose of an old Business PC, you are being governed (that word again) by two sets of legislation...WEEE and Data Protection. One classifies your old PC as waste and therefore it must be moved under a waste transfer note, by a licensed carrier and all that jazz. Not very exciting and we could have a debate about when it becomes waste, but essentially it is, so there, live with it and get a waste transfer note. It is better than a fine.

But the data stuff is trickier. According to the law you are not throwing out an old PC, you are giving away your data. From the moment it leaves your possession, your risk is running around outside of your control and protection and legally you need to show a duty of care towards its security. If you have not and it all goes a bit Pete Tong you are in the firing line of a £500k fine. Very soon you would be opening up the doors of the Scrubs and heading for a six month stretch standing nervously with your back to the wall!

Make no mistake about it; the penalties are serious and getting worse. The misuse of data is taken very seriously in Brussels and Westminster. Mess up through negligence or criminal intent and you can expect to feel the full force of the law and the Daily Mail, not necessarily in that order.

The law is often an ass but in this case it is not. It may not be educating us in how to stay on the right side of it enough for my liking but this idea that you are transporting data is good sense. People disposing of an old piece of kit do not see the data, they see the hardware. They are well used to passwords and network security and they don’t really think about what is on the hard drive. So the law is trying to say ‘hey stupid, remember what’s on there.’

The law is trying to protect everyone. Any data a business holds will involve someone else. It may just be name, address and phone number but in many if not most cases it will include sensitive stuff like bank details, medical records, financial information or even criminal records. So the law reminds you to take care.

Hence the existence of some 800 recycling businesses in this country who will deal with IT or data-bearing equipment. Or at least say they will deal with it. And this is where I get worried about the laws. The fact is they make suggestions without defining what they mean. They say use a specialist partner to make sure but they do not help with that choice. There are no British standards, no Kitemark for data erasure or destruction.

That in itself is not unusual. There are many sectors that have no government standards and quite often the sector gets together to try and set its own. The Press Complaints Commission would be a recognisable example of an industry regulating itself. In our case ADISA or the Asset Disposition and Information Security Alliance, which is an independent body certifying members and setting standards, in conjunction with the government, who do work around the edges.

However of those 800 business less than 40 are certified by ADISA. And only 3 are approved by DIPCOG to work in the MoD/Government space. Now this does not make the other 760 or the other 797 bad of course. It just suggests that in the absence of a national standard they do not see the value of playing the game.

That is a shame. The waters are muddy enough and we could do with some clarity. Because without it, who your data walks out of the door with is rather left to chance. And it is you who will pay the fine, not them. In a few months, when the new European laws get ratified, it could be you, or one of your directors, who gets to do the porridge.

Rocket Science

Beware cheaper alternatives. Oh yes, we all like a bargain but in the end it all comes down to quality doesn’t it? A bargain is not a bargain if it doesn’t work for very long. There is no saving if Genghis Khan arrives at your door, hordes behind him, having found your customers bank details for sale on EBay. And that is what this is about, remember. Data security. Your legal obligations not to put your data at risk. And the risks get bigger every day.

I used to sell roof tiles. We gave a 100 year guarantee. Our competitors stopped at fifty. Guarantees were therefore not a huge USP, because fifty years is an awfully long time to start with, another fifty is just unimaginable. But we were also more expensive than everyone else. Go figure. Quality costs.

Data security is not rocket science. We can make it sound like that if you like, with enough jargon to make your eyes water, but what we do at the disposals end of the business is really quite simple. I am going to try and explain it simply too.

The law...the data protection act...says that you, as owner of your business (or organisation) have a duty of care when it comes to protecting your data, because your company data is likely to contain information about other people – your customers, patients, pupils or whatever you have. You are free to give your own private information away if you like, no one will be too bothered about that of course, but if you expose anyone else’s confidential information you are for the high jump, or a large fine.

So if you want to get rid of something that has any data on it, you need to protect it with auditable. That something can be a computer, a laptop or a server, but it can also be a printer, a scanner, a fax machine, a tablet or a Smartphone. If you give one of those away without erasing the data from the device memory, destroying the hard disk or shredding it, you are putting your data at risk and have thus failed in your duty of care.

Now most people get a company like eReco to take away their old kit. There are about 800 such companies in the UK, some of which are charities. Like any other sector, some are great (me sir, we are, honest!) and some not so great. Every single one of them SHOULD (and please note the capital letters) issue some paperwork to prove what they have done, deal with the data and recycle all the kit in line with WEEE regulations.

That paper is dull but important. It proves you have fulfilled your duty of care. If the worst should happen and Genghis Khan, our beloved Information Commissioner, should appear at your door with a taste for your first born, it is the paperwork which will placate him.

The basics are:

Waste transfer notes. Legally, to transport waste, you need the right notes. You may not consider your old PC to be waste but just believe me, it is in a legal sense. Compared to mass murder, not having a waste transfer note is not the most heinous of crimes, but I am just letting you know so that you can be aware. You did check that, didn’t you?

Asset lists. A bit more important and slightly more exciting. The person who collects your stuff should have an order from you asking him to collect your stuff and detailing what it is, and should then provide a full asset list of what has been collected. In an ideal world these match, and you file them under job done. I gave them PC A and they confirmed they have PC A in their possession. Your duty of care is in a good place. As long as your service provider has all the right licenses to do what they said they were going to do, at any rate. You did check that, didn’t you?

Certificates of data destruction. The final nail in your alibi. You remember PC A? Well we destroyed the data as agreed and here is the certificate to prove it. If that data now turns up somewhere nasty it is not your fault (as long as your service provider has insurance, all the right licenses and did what they said they would do and you checked that was all ok? You did check that, didn’t you?

Now, moving away from the exciting world of paperwork and your perfunctory due diligence, lets have a look at the data erasure or destruction. As I may have mentioned before, best practise is to extend the lifecycle of any equipment recycled, because 80% of the damage is done during manufacture. This is what WEEE regulations say and we all do our best for sustainability. And yes we can make a few bob out of it too. But let’s leave that for now.

Let’s just agree that every supplier, however good or bad they are, wants to sell PC A on. The easiest and cheapest way to do that is to leave it alone and get rid of it, sold as seen, and not worry at all about the hard disk. That happens. A lot. Genghis has a lot of fun. But most service providers will try to erase the old data somehow. Note I said erase, not destroy. If you destroy the hard drive for PC A it is pretty much worthless, so to make any money you would have to put a new drive in. Now already you have had to remove one drive, destroy it, and put another one in. So that has cost time and money. So the best option for all concerned is to leave the drive where it is and run some data erasure software to remove the data.

There is a standard for this, set by CESG, which is basically our sainted security services, GCHQ. To erase data with no known way of retrieving it, you need to use Infosec 5 level software. To keep this simple lets think of the task of dusting a television screen with the sun streaming in through the windows. If you use cheap over the counter software, which anyone can buy, it will cost you about £20 and you can use it forever. It gives you one wipe. Most of the dust is gone from the screen. Note the word most! It is a man’s wipe, a cursory thing not designed to be comprehensive, and if you knew how, you could get the dust back in a trice.

Infosec 5 software is a duster driven by your grandmother. It gives you three comprehensive wipes and gets right into the corners. No dust left anywhere. And in fact, if there is a hint of dust, that drive is rejected as being unsuitable for data erasure and summarily destroyed. Once wiped, no dust is brave enough to return even if a master criminal is involved.

But Infosec 5 software is not cheap and using it is not straightforward, so it is not available over the counter as it were. It is only provided by people like eReco because not only do we have to buy the expensive software license and train Ben and Aaron but we also have to pay a license fee per drive to boot. That is why we charge £5 per drive.

So when someone says ‘and we will sort your data’ you have to ask how? Because this is one of the areas where your duty of care comes into question. Del Boy may get you into some serious trouble if you do not take care.

In conclusion, the cheaper alternative I started off with can only save money in 3 crucial areas as far as I can see. They have to collect the stuff the same as us, but they could use staff who have not been security cleared and only send one driver along, which means your data could be left unattended if he or she needs a comfort break, for instance. Then they can save a bit by not bothering with any paperwork to speak of. Then they can save a lot by not dealing with your data properly. They can then make a bit more by ignoring WEEE regulations and flogging the kit for export to less scrupulous markets.

It’s not rocket science, is it?

Man Flu and the Education of the Masses

Never sell to a sales person. Not if you want to keep your sanity. I was reminded of this when, in my role as Commercial Manager, which is posh for sales and marketing manager, I took a call about email marketing.

The young man was trying to get me to divulge the marketing segments I was interested in, so that he could rattle off the zillions of relevant email addresses he had to sell me. But as I may have mentioned in the last few blogs, I am suffering from a severe dose of man flu. I am therefore not at my most patient or friendly. In fact, I am actually a miserable old git. The girls in the office are being very nice but I suspect they are planning to kill me if I don’t recover my normal genial persona very soon.

So, in answer to who my targets were, I said everyone. No seriously. Yes everyone. Any business or organisation, charity, public sector, school or drug dealer who has electronic devices of a data bearing nature. Surely I want some more than others? No, I want everyone. Even drug dealers are legally required to recycle.

Which was me being obtuse. Of course, I want people with lots of data bearing devices to dispose of unnaturally early in their lifecycle who laugh at my jokes and have no apparent budgetary concerns. I will have as many of those as you can give me, thank you very much.

Size is really the only thing that makes a difference. Because if you are big you produce a lot of waste and you naturally develop a process to dispose of it. Or so you would think. As I may have pointed out once or twice, regular readers will confirm this, not having a process leaves you as a disaster waiting to happen.

I had a very interesting meeting with a new entity set up to deal with several large areas of the education sector the other day. Sort of outsourced government stuff if you see what I mean. Nice chaps. Seemed to like the odd joke I threw in and listened to what we had to say. Their previous supplier was a bit lax about the paperwork apparently.

Well I say previous but I mean current, soon to be previous. In the wonderful in-sourcing and outsourcing world, these guys were getting organised, starting with a clean slate, and the fact that they were exposed to a large amount of doggy-doo hitting the proverbial fan had unnerved them just a little. They wanted to put in place a much better arrangement, and who better than eReco with our DIPCOG approval and ADISA certification. We showered them in paperwork, generally showing them what we could do and I am hopeful that we will have a fruitful arrangement going forwards. I am dusting off my second meeting jokes already.

But the point is they are of a size where they have to get their act together, and their re-organisation gave them the motivation to do it. Smaller businesses have exactly the same issues, but because they do not produce the same volumes of disposals, they are rarely geared up. They largely remain blissfully unaware of the fates which might befall them.

I am very concerned about this market, the SME, although in reality it is the ME which is of the greatest concern. Your average very small business sorts himself out one way or another, and Genghis Khan, our friendly neighbourhood ICO, very rarely gets involved down there. Medium to large businesses though...they do get in his cross hairs every once in a while.

My opinion is that we need a lot more education to the SME sector. Neither the ICO or any of the other interested parties give clear, concise advice. There is a lot of ‘if you don’t we will smite you’ but very little ‘Responsible Recycling 101’ available. We here in eReco-land are trying to redress that balance and hence the existence of this blog in the first place.

So I did not buy any email addresses. I apologise to my young friend for being a pain in the human recycling bin. I am naturally cantankerous when I don’t feel one hundred per cent, and I have to be nice to customers. That hurts when you have a temperature and a bad throat and a headache.

eReco – Your Get of Jail free card

Who is responsible for your data?

It’s a good question. Ultimately it is a business responsibility regulated by law under the data protection act and once the EU gets around to it the responsibility will sit firmly with the directors of the business. Even if they delegate it to someone else, they can be sued, fined, jailed or even decapitated if Genghis Khan gets his hands on them.

And that is in addition to fines levied against the business.

I think that focuses the mind quite nicely. Once this becomes law (and we are past the expected ratification date, so any day now Mr Farage!) apathy is going to get quite dangerous, and once the directors are firmly in the firing line things tend to get done.

But what things?

Obviously, here in eReco land, we are going to focus on disposing of redundant IT equipment because that is our wont. There are lots of other things to do but we aren’t directly involved in that so yah boo sucks, sort it out yourselves.

So, you have a computer to get rid of and it has a hard drive, what should you do?

In simple terms, you have two different legal responsibilities.

Firstly to dispose of the equipment according to WEEE regulations. Regardless of what you call it, or any residual value, this is waste and whatever you do, you need to think about waste transfer notes and how the item is going to get to a WEEE regulated recycling facility. If you do not get a WTN you are breaking the law and if your equipment does not go to a WEEE facility and ends up somewhere naughty, you have also broken the law. So, if you give it to someone to dispose of for you, make sure you get the right paperwork and be sure they are going to do things properly. If not, those directors are in the firing line.

Secondly, you are responsible for any data on any hard drive disposed of. There is no limit to that responsibility. You remain responsible. Even if eReco collect it from you, the data is still ultimately your responsibility. You would have to prove that you have engaged a data secure service provider and that their processes met your duty of care to protect your data.

If something went wrong and there was a data breach, you would still be in hot water, because the data remains yours, and you would need to prove to Genghis Khan, or our friendly neighbourhood ICO Chris Graham, that you acted responsibly.

Now all eReco customers will have no problem proving this. We provide Waste Transfer Notes, asset lists and certificates of data destruction, and if something goes wrong we have liability insurance up to £10,000,000. Our collections are secure, with security cleared personnel, and our facility down here in East Grinstead is also secure. This is certified and checked, without warning, by ADISA, and we are also approved by DIPCOG to work in the MoD/Government space.

All of which the truly responsible client will have checked out in advance. This is the important stuff you see...you need to show due diligence. And then do you know what actually keeps the MD out of choky? Yes that’s right, it’s the boring old paperwork!

Say your data ends up on eBay. This happens. A lot. So no pooh poohing me please. As General Melchet said in Blackadder 4, ‘did he pooh pooh you Blackadder?” I won’t have it. This is important stuff so no giggling at the back.

Once the data breach is crystal clear, you are in deep doggy doo’s. Genghis, however he finds out about it (and he will, because legally, if he doesn’t find out any other way, you have to tell him or face even graver consequences) will start asking some difficult questions. And the boring old paperwork which everyone takes for granted and does not give too much importance, becomes absolutely crucial.

First things first, Genghis would want to see what you asked us to collect. However you do it, by email or by filling in one of our forms, we keep a record of what you asked us to collect. This is important in a minute, so tuck it away at the back of your mind. Then we give you an estimate, and you accept this estimate, and we confirm a collection date.

On said date, we rock up and get the stuff. We bring with us a Waste Transfer note, which says we collected this sort of stuff from this address on said date.  Everyone signs and you get a copy. We also have consignment notes. This details the sort of materials being transported, whether they are hazardous or not, and gives full addresses and licenses for both parties. Not very interesting but all legal proof and approval for what we are doing.

Then we bring the stuff back here. We track it in, noting any serial numbers but also adding an identity number of our own, so that we always know where it is in our system. From this we produce an asset list. It should match the list you asked us to collect, of course. If you asked us to collect 10 PC’s we tell you that we have collected 10 PC’s and the serial numbers are XXXXXX. You now have a comprehensive audit trail of disposal from your request to us, through transportation by registered and licensed supplier to arrival at a registered, accredited and approved facility. In other words, you have proof of what you have done and Genghis loosens his grip on your throat, for the time being at any rate.

But before we move on, a reality check. I have said in previous blogs and always say to clients on the phone, tell us if you have more to collect than you have said. 

Partly this is because we want to charge you more. I am just like that, I like to get paid. Partly it is because I know what the vehicle can take in terms of weight and quantity of stuff, and we don’t want to overload it. But mostly because it is dangerous if you add something without telling us. Because the audit trail is potentially broken. In our case, we would pick it up when we compile our asset list, but legally PC XXX has magically left your care and arrived with us. You have not asked us to take it. What if you do not even know it is gone? Genghis might well slap you around a bit because of things like that.

However, let’s leave that side of things and get back to business. So we have your stuff and you have an audit trail which will be added to when we erase your hard drives and give you a certificate to prove we did it. At this point you are pretty much done. You can kneel before Genghis, carefully watching the scimitar in his hand and say ‘it was them, Guv’ if anything goes Pete Tong. We would end up in the dock together, because it’s still your data, but having employed a certified supplier and ticked all the paperwork boxes, it would take a very unreasonable Genghis to punish you, and our insurance would hopefully cough up.

Please note, this is all hypothetical, we have never had a problem and, touch wood, never will. We do things right. And going back to a well-worn theme of this blog, this is why we charge for our services. Even if we do agree a kit covers costs deal, which we do if you are recycling gold plated laptops, these costs are deducted before we share any revenue with anyone. Because we think this is the really important stuff. It’s the stuff that keeps your MD out of jail.

And you may think that is taking things a bit far. But take a look at the ICO’s hall of shame when you have a moment and imagine those breaches when director responsibility comes in. It is very tempting to look at IT equipment recycling as a cost, but I have always maintained that it is risk management.

Do it right, for your director’s sake.