MidexIn a hurry, please click here!homesitemapwebmasterHome
You are here: News > Secure Disposal of Electrical Waste - Why you should be concerned

Secure Disposal of Electrical Waste - Why you should be concerned

Last year's WEEE Directive has brought an avalanche of unwanted electrical and electronic equipment into waste disposal centres - and with it a mountain of data. We explore the implications for the industry.

Data protection has hardly been out of the headlines over the last few months. It was only last year that HMRC managed to lose a CD with details of 25,000,000 child benefit claimants, or almost every family in the country. In January the Royal Navy mislaid the personal details of up to 600,000 people. And a government subcontractor recently misplaced the details of 3,000,000 learner drivers somewhere in the wilds of Iowa.

Embarrassing for the government, certainly. But surely not an issue for the average business, local authority, or waste management professional?

Yet alarmingly, as the WEEE directive means businesses have to dispose of redundant or unwanted electronic equipment correctly, and often in fraudster-friendly batches of multiple units, a veritable flood of data is, sometimes quite literally, thrown out on the streets.

Embedded in unwanted computer systems, redundant medical equipment, and the like, it looks indistinguishable from the pieces of junk plastic and metal that house it, and many professionals treat it far more cavalierly than HMRC did its CDs.

Until the first test case, it remains unclear as to whether it is waste managers or their clients who will be liable for prosecution in the event of data theft from materials such as hard drives. But it is definite that, when waste managers outsource WEEE that contains personal data for processing overseas, they have breached the Data Protection Act by exporting personal data beyond national boundaries.

When (and unfortunately "if" is not an option) the first major fraud is committed using personal data recovered from WEEE it is quite possible that both the businesses which created the data and the waste managers who failed to ensure its secure destruction could be liable for prosecution.

For Chris Spooner, of Midex RT, an Approved Authorised Treatment Facility of WEEE, data loss is an accident waiting to happen.

"Frankly, I am surprised it hasn't happened already," he remarks. "I deal with IT professionals all the time, people who are aware enough of digital security to have anti-spyware and antivirus, and often keen enough on data protection to encrypt their home systems. Yet these same guys will send us 500 laptops for disposal, by unsecured courier, hard drives intact, and not even tell us when they have been dispatched. Who knows what is happening to the data in transit?"

The Data Protection Act, which became law in 1998, guarantees some protection. Yet a decade ago it would have been impossible to predict the sheer volume of electronics being discarded as waste - or, for that matter, the sheer proliferation of data and devices that hold it.

While organisations such as the police and hospital trusts are generally well aware of the sensitive nature of the information their discarded servers, server tapes, laptops and hard drives can hold, other businesses can be very blasé indeed.

"Even where a business is otherwise fairly aware of data protection, there is still a perception that waste is rubbish, and so doesn't matter," says Spooner. "In a recycling, reusing world, that is no longer true."

One typical scenario - far less dramatic than many Doomsday scenarios, and therefore not very well known - derives from the growth of internet banking. Many employees perfectly legitimately use their work laptop to check their bank account online during their lunch hour, or at home during the evening.

When their laptop is sent for disposal under the WEEE directive, if data security policies are not followed, their bank details could be accessed by anyone from the courier transporting the laptop to employees at the recycling plant to an end user to whom the laptop is ultimately resold. Either the parent business or the waste management organisation will have liability for the fraud, having failed in their duty of care.

According to Spooner, "A lot of organisations simply don't understand how hard it is to wipe a hard drive completely and how very unwise it is to reuse one. They will, basically, put hard drives packed with sensitive data back into circulation, and hope that the person who buys them is legitimate."

Midex, one of only a handful of organisations that specialises in WEEE, offers its clients two levels of secure disposal. The most rigorous, as favoured by clients from the police to banks, is known as witnessed secure destruction.

"While our clients take security extremely seriously, I have to say that most of them actively enjoy this option," remarks Spooner. "It's a bit of boyish fun, on some levels. We stop all our machines and clear everything from the system - and when you're talking about 10,000 sq. ft. of working space, that's a lot of clearance - ready for the client to dispose of their data."

Modes of arrival vary. Some clients arrive in a Securicor van, others in a patrol car, others simply looking nervous with a briefcase full of laptop drives. Once through Midex's own security perimeter, clients are invited to a viewing gallery, offered a hot drink, and given the opportunity to drop their own data into the chute.

"With very sensitive data it is critical that the client sees it destroyed," explains Spooner. "Here they literally watch it slide down the chute, into the mouth of the crusher, and emerge seconds later as 25mm fragmented pieces. These travel along a conveyor belt and pass through a series of separators to extract metals and plastics for processing for reuse. The client watches the entire process and even gets a 'goody bag' of fragments to take away."

The second method relies on lockable wire storage cages, on rollers for easy transportation around site. These are kept at the client's premises and transferred to Midex once they are full.

"The cages are a simple way for the client to enhance security on their own site and during transportation," explains Spooner. "On-site, we recommend that only one employee has a key and that cages are kept locked. They are often transferred to us locked and timewrapped under tamper-proof plastic straps, while the key to the padlock is couriered separately."

This level of protection is recommended for almost every business disposing of computer systems. For the Data Protection Act does not only cover vast quantities of overtly personal data, such as HMRC's missing CDs. It extends to more routine material, the kind of information that is routinely found on every hard drive and, increasingly, on products such as BlackBerries.

It runs the gamut from CVs of job applicants on a secretary's laptop to credit card numbers stored in a till system to medical records embedded in hospital equipment. And waste managers could be liable for any breach.

Worse still, as mobile communications and storage devices become more common, and accessories such as printers and routers more sophisticated, the data security risk spreads from system to system and machine to machine.

"The message we normally get from our clients is the standard waste disposal one of 'Just take these things away'," says Spooner. "We know that they are going to come to us chockfull of data. But because we do what we do, we process them appropriately and securely. That means they are spared the chance of finding out why we need to do that."

Resources | Email: info@midex-rt.com | Tel. 01252 338 414 | Fax. 01252 338 415
Valid XHTML 1.0!