A study by the Asset Disposal and Information Security Alliance identifies some embarrassing results for our law enforcement community.
October 2015 — The Asset Disposal and Information Security Alliance (ADISA) has carried out its third Freedom of Information request into how UK government organisations meet their regulatory requirements when disposing of critical data carrying infrastructure.
The latest survey focussed on UK Police forces who responded to a list of 10 questions with the results leaving some forces highly embarrassed. In 68% of the responses the person responsible for data protection was identified as the Chief Constable and yet another question confirmed that many of those forces acknowledge that they are actually breaking the current UK Data Protection Act 1998.
Founder of ADISA, Steve Mellings said, “Clearly this shows that rather than wilfully breaking the law, they simply don’t understand what they are meant to do when disposing of ICT assets. There is a frustration within the ICT recovery industry that organisations still do not take their responsibilities seriously when looking to dispose of ICT assets. Our objective for our series of FOI studies is not to embarrass but to draw attention to a business process which is simply dismissed by many so that improvements can be made.”
ADISA sent out requests to 47 Police forces throughout the UK with a poor figure of only 74% confirming an awareness of the UK Information Commissioner’s Office guidance notes for this process. Further questions identified non-compliance to existing law as well as complying to the UK data regulator’s recommendations. Examples of non-compliance are not having contracts in place, not auditing their partners and by not having policies in place.
Mellings continues, “After previous FOI requests to the NHS and to Local Authorities revealed that 40% of the NHS questioned and a staggering 60% of Local Authorities were not complying with these ICO guidelines we had hoped for a bit more from our Police Forces. However, due to no contracts being in place with their data processors and no audits taking place nearly 50% would be viewed as not meeting regulatory requirements.
We’re sympathetic to organisations struggling with some of the highly technical threats to their data but to simply allow data carrying assets to leave your control without rudimentary controls is akin to leaving your data centre doors open. A breach is only a matter of time.”
ADISA operates an IT asset disposal industry certification scheme with members in eight countries and with formal recognition from DIPCOG, which is a CESG and MOD committee.