Q. We use a data sanitization software to sanitize mobile phones. For the validation, we have another department that reviews the report for each wiped phone. The report indicates that the wipe has been completed and the phone has passed testing. Does this meet the requirement for validation of the sanitization process?
A. That’s sounds like a good practice that would likely meet the quality control requirement under 8.e. However, it would likely not meet the validation requirement under 8.d. Validation is meant to ensure that the process is working. For instance, the report may say “passed” but was the software configured properly? Is the software current? Are failures identified? Are employees competent? Are the results accurate? Is the data really gone?
Section 8.7 in the R2 Guidance Document sheds light on validating your process to ensure it is effective.