Some 70% of
central government departments do not check that data has been
wiped from IT equipment they are disposing of, exposing them to
potential security breaches, a report released yesterday by the
National Audit Office has found.
The report said that although 90% of central government
organisations wipe data from IT equipment before it is recycled or
resold, most do not obtain evidence that
data wiping has been carried out.
"Inadequate data wiping could give rise to security breaches if
classified data is not properly removed, or the equipment on which
it is held is not handled in a secure manner," said the report.
Most public sector organisations use third-party disposal agents
to recycle their IT equipment. However, the report concluded that,
"Many public bodies have inadequate oversight of the IT equipment
disposal chain."
When public bodies are disposing of equipment they must comply
with the
Data Protection Act, which protects personal information, and
the Official Secrets Act, which safeguards official
information.
The report said that the problems are caused by the lack of an
industry-wide framework. "There is no government-wide guidance
specifically covering the disposal of IT equipment which clearly
outlines the risks, legislative framework and practical
implications for organisations," the National Audit Office
said.
The report stated that there are also significant savings to be
made in IT disposal - if departments copied the commercial world
and disposed of units after three years instead of the current
five-year lifetime. Doing so could have saved £70m in the 2005-2006
period the report found.
The National Audit Office recommends that the
Office of Government Commerce, the
Department for Environment, Food and Rural Affairs, the
Department of Trade & Industry, and the
Environment Agency - the public bodies with the greatest
responsibility - should conduct a joint analysis into how to
maximise the "whole life value" of IT equipment.
Discarded hard drives
can be dangerous >>
Comment on this article:
computer.weekly@rbi.co.uk