e-Waste law should include data-wiping, says watchdog
European electronic waste disposal laws should include provisions to mitigate data loss, according to European data protection supervisor Peter Hustinx.
On Friday, Hustinx called for manufacturers to be compelled to integrate privacy-enhancing measures into computing devices by design, in order to make it easier for organisations to delete sensitive data prior to disposal. Hustinx was commenting on the European Commission's proposed revision of the Waste Electrical and Electronic Equipment (WEEE) directive, which regulates how European organisations get rid of unwanted electronics.
"It is important to take into account the potentially damaging effects of WEEE disposal on the protection of personal data stored in used equipment," Hustinx said in a statement. "Respect for security measures and a 'privacy by design' approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data."
Hustinx also called for WEEE to prohibit the marketing of secondhand devices that have not had sensitive information erased prior to resale.
UK data watchdog the Information Commissioner's Office (ICO) told ZDNet UK on Friday that, under UK law, organisations must delete data from obsolete equipment.
"It is essential that companies have appropriate procedures in place to ensure that personal records on computer hard drives are rendered unrecoverable when they dispose of computer equipment," said an ICO spokesperson. "Under the Data Protection Act, companies have a duty to store personal information securely and delete it when it is no longer required."
The spokesperson added that the ICO's Guide to Data Protection covers information security considerations that companies need to take into account.
The ICO has taken action against a number of organisations and individuals who have breached the Data Protection Act through improper disposal of obsolete equipment. In August 2009, the ICO said that Ipswich GP Paul Thomas had agreed to take remedial action to comply with data security requirements, after a server from his practice was found in the practice car park. The server contained the personal information of a large number of the practice's patients, and some personal data of its employees, the ICO said in a statement at the time.
Companies face maximum fines of £500,000 for breaches of privacy law, after new powers for the ICO came into effect in April.