Businesses must check who is responsible for destroying data when computers are decommissioned, according to outsourcing experts.
The advice follows last week's news that Paul McCartney's private banking details were recovered from PCs decommissioned by the merchant bank Morgan Grenfell, now part of Deutsche Bank.
Channel Four News revealed that data belonging to the former Beatle, together with that of the Cancer Research Campaign, was not wiped from PCs that had been passed on to a third party after decommissioning.
It is vital that companies ensure any third party employed to decommission PCs know they are responsible for destroying data held on the machines and this is written into the contract, according to Robert Morgan, chief executive of outsourcing consultancy Morgan Chambers. "This kind of problem is common - I've seen at least four cases like this over the last year," he said. "The contract should make it clear that the liability [for destroying data] falls squarely on the shoulders of the contractor."
Morgan said contracts that were more than three years old may not have such provisions and companies should constantly review their contracts to include any changes in law, including the new Data Protection Act, which comes into force on 1 March.
Forensic computing specialist IRM analysed computers that had come from Morgan Grenfell and found that data could be recovered in a matter of minutes and that no attempt had been made to delete it.
Deutsche Bank said it was reviewing all proced-ures concerning decommissioning.