Some 70% of central government departments do not check that data has been wiped from IT equipment they are disposing of, exposing them to potential security breaches, a report released yesterday by the National Audit Office has found.
The report said that although 90% of central government organisations wipe data from IT equipment before it is recycled or resold, most do not obtain evidence that data wiping has been carried out.
"Inadequate data wiping could give rise to security breaches if classified data is not properly removed, or the equipment on which it is held is not handled in a secure manner," said the report.
Most public sector organisations use third-party disposal agents to recycle their IT equipment. However, the report concluded that, "Many public bodies have inadequate oversight of the IT equipment disposal chain."
When public bodies are disposing of equipment they must comply with the Data Protection Act, which protects personal information, and the Official Secrets Act, which safeguards official information.
The report said that the problems are caused by the lack of an industry-wide framework. "There is no government-wide guidance specifically covering the disposal of IT equipment which clearly outlines the risks, legislative framework and practical implications for organisations," the National Audit Office said.
The report stated that there are also significant savings to be made in IT disposal - if departments copied the commercial world and disposed of units after three years instead of the current five-year lifetime. Doing so could have saved £70m in the 2005-2006 period the report found.
The National Audit Office recommends that the Office of Government Commerce, the Department for Environment, Food and Rural Affairs, the Department of Trade & Industry, and the Environment Agency - the public bodies with the greatest responsibility - should conduct a joint analysis into how to maximise the "whole life value" of IT equipment.
Comment on this article: [email protected]