Lindsay ClarkBusinesses must check who is responsible for destroying data
when computers are decommissioned, according to outsourcing
experts.
The advice follows last week's news that Paul McCartney's
private banking details were recovered from PCs decommissioned by
the merchant bank Morgan Grenfell, now part of Deutsche Bank.
Channel Four News revealed that data belonging to the former
Beatle, together with that of the Cancer Research Campaign, was not
wiped from PCs that had been passed on to a third party after
decommissioning.
It is vital that companies ensure any third party employed to
decommission PCs know they are responsible for destroying data held
on the machines and this is written into the contract, according to
Robert Morgan, chief executive of outsourcing consultancy Morgan
Chambers. "This kind of problem is common - I've seen at least four
cases like this over the last year," he said. "The contract should
make it clear that the liability [for destroying data] falls
squarely on the shoulders of the contractor."
Morgan said contracts that were more than three years old may
not have such provisions and companies should constantly review
their contracts to include any changes in law, including the new
Data Protection Act, which comes into force on 1 March.
Forensic computing specialist IRM analysed computers that had
come from Morgan Grenfell and found that data could be recovered in
a matter of minutes and that no attempt had been made to delete
it.
Deutsche Bank said it was reviewing all proced-ures concerning
decommissioning.
Security