Documented Data Destruction Procedures
A Recycler is required to document methods of data destruction for each type of media containing equipment and media. Data Destruction procedures should include detailed instructions to successfully destroy the data on the particular device (R2:2013 Guidance, section 8.5). Methods of data destruction will vary by device type. For example, solid-state memory devices (such as those used in mobile devices and more modern “thin and light” laptops), require different wiping and destruction procedures than traditional spinning-disk hard drives. Additionally, data storage on phones or mobiles are physically smaller than laptop or desktop storage, meaning those devices necessitate a smaller shred size for effective destruction. Consider regularly-updated visual work instructions used at sorting stations, describing which types of devices contain data.
Data Destruction Training
Employees must be trained on Data Destruction procedures and records of employee training maintained (R2:2013 Guidance, section 8.6). Qualified personnel are required to administer all trainings and evaluate employee competency. All training procedures should be documented.
Data Destruction Process Validation
Independent validation of your data destruction processes is required to ensure successful destruction (R2:2013 Guidance, section 8.7). Validation requires documented evidence that demonstrates a PROCESS consistently and effectively produces an outcome that conforms to established criteria and quality controls.
Review and validation of data destruction procedures should include: validation of the procedures, effectiveness of employee training, calibration, maintenance of equipment, and Performance of data destruction methods. Reviews should specifically include competency evaluations of employees, attempts at data recovery from sanitized devices, verification of calibration schedules, and verification of data sanitization records.
Other types of validation may include: Periodic Media Recovery Checks, and detailed internal audit of data destruction process.
Data Destruction Security Controls
Security controls should be in effect from at the time you take possession of the data bearing media to the time the data has been destroyed. Security controls should consider physical security (locked trailers, locked bins, cages, locked rooms), monitoring (cameras, key fobs), chain of custody (transportation to facility, transportation to downstream vendor, if data is still present) and personnel qualifications (background checks). The level of security used in all of your procedures should be relevant to the most sensitive type of equipment you are processing. For example: If HIPAA material is the most sensitive material, but only accounts for 10% of a facility’s volume, all security must be designed around meeting requirements for HIPAA.
Data Destruction Process Management of Change
It is important to note that as data storage devices evolve, data destruction methods will also change and data destructions practices must be reviewed and modified. Determine how you will stay up-to-date with the newest technology and data destruction methods. Regularly assess the types of material coming into your facility, and communicate changes in the composition of your incoming recycling stream to your employees. Sort and data destruction procedures should be revised and maintained up-to-date based on assessment results.