Q. We use a data sanitization software to sanitize handsets. For data validation, another department reviews the report that is generated for each handset. The reports indicate that the data wipe has been completed and the phone has passed testing. Does this meet the requirement for validation of the data sanitization process?
A. That sounds like a good practice that would likely meet the quality control requirement of Provision 8.e. However, it would likely not meet thevalidation requirement of Provision 8.d. The intent of the validation requirement is to ensure that the process is working. Although the report may say “passed,” have you verified that the software is configured properly? Is the software current? Are failures identified? Are employees competent? Are the results accurate? Is the data really gone? Section 8.7 of the R2 Guidance document sheds some additional light on the subject.
Bottom line: Consider how your process is being validated to ensure effectiveness and accuracy of results.