A different outlook on 
ICT disposal

Although the ‘W’ in the WEEE directive stands for waste, categorising ICT assets at end of life as waste is at the core of our problems when dealing with this business process. As users, at the end of each working day we leave, piled up in our bins, the waste we have produced. We place zero value on the wrappers from our lunch, the free newspaper carried into the office and broken old pens, which reside in our waste bins. We don’t spare a thought on our journey home about what is happening to this waste and who has access to it. We simply assure ourselves that it won’t be there tomorrow, that someone else has made the problem go away.
    
This approach can extend to addressing redundant ICT equipment. It is left on shelves, in store cupboards or piled unceremoniously into rooms because it’s old; we’ve finished with it and it is therefore someone else’s concern. Interestingly, should the releasing company wish the asset to be re-sold for revenue generation then the Environment Agency’s own definition confirms that the asset should not be classed as waste as there is ‘no intention to discard’.
    
So in order to write a narrative on the problems faced with redundant ICT, I must first start by challenging the very perception of this process. If we approach ICT disposal with our thoughts stuck in an indifferent approach to waste management we are destined to fail. A failure to address the physical asset, software as an asset and finally, and most importantly, data as an asset will ultimately lead to risk taking, non-compliance and most of all, missed opportunities.

What are the challenges?
Technology has changed significantly in the past 10 years and yet within ICT disposal attitudes have not. Companies make sweeping statements without considering other data carrying media, or say they use CESG approved software without understanding that CESG has not approved software overwriting on NAND based storage such as solid state. Unless the business process of ICT disposal is given more thought, then these types of flippant comments result in poor policy, poor process and poor relationships.  
    
There is no quick fix for security technologists to deploy when dealing with ICT disposal. The roadmap to secure ICT disposal starts somewhat unfashionably with policy, which leads to good processes. Together these form the foundations for a disposal solution incorporating great partners, industry leading solutions and most of all, compliant, management oversight.

Who bears responsibility?
Overall responsibility for ICT disposal is often difficult to identify. Many businesses split responsibility for the physical assets across a range of functions and therefore disposal responsibility is often also shared. Facilities may look after the mobile phone contracts and printer estates whilst traditional IT departments look after user technology such as PCs and laptops. Within healthcare there are further complications, as there are outsource partners such as Health Informatics involved.
    
In addition, senior information risk owners (SIRO) or information governance managers (IG) have overall responsibility for IG governance, without perhaps being able to influence operations in the way that they would wish. These roles, and that of the new Data Protection Officer (a legal requirement within the terms of the new Data Protection Act) are going to be increasingly important as the focus from the regulators on Data Protection and Privacy is being magnified by the changing EU Data Protection Act. This re‑write will see many changes when passed into UK law (2016) with the headlines understood at this point to include an increase in potential fines, changes in breach notification and a change in the processor/controller relationship.
    
To summarise the challenge, we have a business process which is perceived indifferently by many, which has poor central policy due largely to the lack of central ownership of the process and which is delivered by a range of different entities within a single business.

This results in a lack of acceptance of responsibility and in a range of inconsistent and uncoordinated processes being in place and a range of suppliers providing services.
    
These elements are ignored generally, and are only scrutinised when a problem has occurred. When we put this into the context of a changing and increasingly aggressive regulatory environment we can see that as responsibility for the data continues until that data is no longer available, then ICT disposal will become the final stage within the business’s data protection effort. Only when the asset has been sanitised in a controlled manner will the legal liability end and potential regulatory action subside.

Roadmap to Compliance
There is an ever-growing list of requirements for all businesses to be compliant with and the greatest challenge is actually understanding, ‘what should we do to actually be compliant?’ For ICT disposal the overarching law is the Data Protection Act, which is changing significantly, although the objective for ICT disposal will be same: to sanitise data on every data-bearing asset so that it is no longer recoverable, and of course to comply with software and environmental laws.
    
Within the UK the data regulator is the Information Commissioner’s Office (ICO) and it is to the ICO that we should look for guidance. In November 2012 a set of simple guidelines was released which allowed businesses to review and map across the requirements to their own business operations. These can be found on the ICO website and a simple GAP analysis would be a good starting point.
    
In January 2014, ADISA undertook a freedom of information project into Acute Trusts within the NHS. The good news was that, in my opinion, there was significant improvement from a previous telemarketing project we had performed in 2010. Trusts generally seem to be putting structures in place from which to grow. In 95 per cent of cases there was an individual responsible for ICT disposal and 96 per cent were aware of the ICO guidance notes. Despite this ownership and knowledge there was still evidence over the series of questions that between 25 per cent and 40 per cent of trusts were not compliant with the ICO requirements, leaving themselves exposed to regulatory action should something go wrong. The questions are whether that individual responsible is really able to shape the process within the business and whether they perhaps require greater management support in order to influence compliance within this process.

Guidelines
At ADISA we adopt a simple five-stage approach to excellence within asset disposal and these steps go some way to helping businesses comply with the ICO requirements.

The first step is to write an overarching asset disposal policy. This should include data categorisation, business impact, threat profiling, risk assessment and finally, this should produce an approved media sanitisation profile.
    
We then write internal and external policies and procedure statements to measure and mitigate operational and third party risks. Not only must an ICT disposal policy cover all different media types, but it must also be interpreted into departmental policy, which sits across all hardware streams and all forms of hardware ownership. It is crucial that the processes include the provision and maintenance of the chain of custody of assets throughout. Too many companies have no idea what assets they have released for disposal, with no genuine audit trail in place.
    
All data processors should have a clear service specification issued to them and this relationship should be governed by a contract, issued as a result of a thorough selection process. This process should measure the processor’s capabilities to perform the services and should be able to be used to show due diligence on the data controller’s behalf.
    
Step four involves auditing and reporting, which is essential to show compliance. All internal and external processes need to be measured and assessed.
    
Finally, review. Too many disposal policies are outdated within months of completion. Threats change; technology changes and businesses themselves change. The disposal policy should have a 12-month review period.
    
There are many resources available from ADISA to help, including a white paper on the changes to the Data Protection Act and impact on ICT Disposal and also formal training courses with the University of South Wales. The starting point would be to participate in a free webinar on 29 May 2014, which has speakers from the Information Commissioner’s Office and from NHS Trusts. The objective is to introduce the ICO guidance notes and offering advice on how to interpret these into sensible operational improvements.

Further information
www.adisa.org.uk