Data Protection: The dangers of disposing WEEE!

I’m writing this Datonomy post on my newly installed PC. A few weeks ago I was lucky enough to receive an upgraded computer from my firm. In the early hours one morning, a member of the IT department (so I’ve been told) entered my office, removed the old redundant PC (which I’d been complaining for months was slow, unstable and crashed frequently) and whisked it away to be … … … well, I wasn’t exactly sure where it went but I assumed it was either destroyed or more likely recycled in line with the UK’s Waste Electrical and Electronic Equipment (“WEEE”) Regulations 2006. The WEEE regulations impose a responsibility for the collection and disposal of waste electrical and electronic equipment on the manufacturers of the equipment and compel them to use the collected waste in an ecologically-friendly manner, either by ecological disposal or by reuse/refurbishment of the collected WEEE.
This might sound like a fantastic, environmentally friendly and totally harmless way to get rid of old electronic equipment but behind this disposal and recycling lurks a hidden danger which was this week brought into the spotlight by the European Data Protection Supervisor (“EDPS”) Peter Hustinx – (see the EDPS opinion by clicking here). That danger relates to the fate of data, particularly unsecured personal data, which has been generated over the lifetime of usage of the old equipment and is stored within it. Without taking proper steps to ensure the complete deletion of the personal data from within this equipment the data may be accessible to future users of the equipment and, if and when it is recycled, there is a very real risk that privacy breaches could occur if this data is still retrievable.
It is this potential risk of personal data falling into the wrong hands that Hustinx wants to eliminate. His proposal is to amend the Europe wide WEEE directive would force producers of electrical equipment to build in privacy and security safeguards which would enable users to wipe clean any personal data stored by electrical equipment, quickly, easily and free of charge, prior to the equipment’s disposal or recycling. Furthermore the EDPS has called for the WEEE directive to prohibit the marketing of second hand electrical devices which have not had sensitive information erased prior to resale.
Panicked by the notion that my old personal data could, at this very moment be being reviewed by someone using my old recycled PC I put in a frantic call to my firm’s IT department. To my relief I am reassured that my firm took great pains to employ a specialist company to delete and destroy any personal data on my old PC before it was recycled. As it turns out it’s likely that the UK data protection regime (through the 7th principle) already requires organisations to delete data from obsolete equipment before it is resold but this is not necessarily the case in all European countries, hence Peter Hustinx’s latest initiative – a warning to Datonomy readers – take note!

Leave a Reply

Your email address will not be published. Required fields are marked *