10 key components of an effective data destruction policy;
The right to erasure or destruction of data is guaranteed to data subjects by Section 40 of the Data Protection Act. Under the Data Protection Act, a data subject may request a data controller or processor to erase or destroy personal data held by them that they are no longer authorised to retain, that is irrelevant or excessive, or that is obtained unlawfully.
While the Data Protection Act provides for the erasure or destruction of personal data of an identifiable natural person, data destruction is not limited to the destruction of personal data.
Organisations can have in place data destruction policies that provide for the destruction of information stored within their premises to avoid storing documents indefinitely.
Case in point: The LSK Code of Ethics and Conduct for Advocates recognises an Advocate’s duty to maintain client records and establish and operate a secure filing and archiving system, so that client records do not get lost or misplaced, or fall into the hands of unauthorised persons. The Code also recognises the need to destroy such records and provides that should an advocate opt to destroy client records, reasonable efforts should be made to inform the client to come and take the files before they are destroyed.
Given the foregoing, having a data destruction policy is important in the data destruction process as it sets out the general principles an organisation, a data controller, or a data processor is guided by in the destruction of data. It also aids in ensuring a secure and compliant data disposal process.
Key components of an effective data destruction policy;
The 10 critical elements of an effective data destruction policy are as outlined hereinbelow:-
- The scope and purpose of the policy;
An effective Data Destruction Policy must have a defined scope with a comprehensive definition, an explanation as to why the policy is needed, and the persons to whom the policy applies. This ensures that all affected persons are on the same page.
- Identify the type of data to be destroyed;
In simple terms, data means information that is recorded as part of a relevant filing system. This Clause is essential as it defines what type of data is to be destroyed, be it client files, accounting records, employee records, or personal data pertaining to clients or employees.
The Clause also provides guidance on whether the data is stored in cloud form or in the form of hard copies. If data is stored in an online archival system, whether such archived data is subject to destruction.
- An outline of how the data will be destroyed;
Identifying the data to be destroyed is key in providing an outline of how the data will be destroyed. The mode of destruction depends on the type of data to be destroyed. Data stored in electronic devices can be destroyed through ways such as deleting / reformatting, data wiping or overwriting, or degaussing. Data stored in physical form can be destroyed by burning, shredding, or recycling.
- Personnel responsible for destroying the data;
An organisation can elect to destroy data internally or employ a data destruction company to perform the task. When an organisation destroys the data internally, it is important to ensure that it has the expertise to do so.
When choosing a data destruction company, there are certain factors that must be taken into account such as:-
- A proper chain of custody is maintained to ensure that the data does not fall into the wrong hands;
- The company provides a certificate confirming that all data has been destroyed and that no breaches have occurred;
- Whether there are contractual obligations binding upon your organisation not to transfer certain data to a third party for processing, and if so, whether any consent is required to do so; and
- Whether the data destruction company has an insurance provider to cover incidences of a mishap with your data and the security measures taken by such companies.
- Transferability of the data;
This Clause sets out the form in which data is to be transferred to the person responsible for its destruction on-site or off-site and the persons responsible for collating all the data for destruction purposes.
- Timelines for destroying the data;
In any organisation, destroying data that is no longer needed on a regular basis is vital. It is cost-effective as it helps reduce storage and archival charges. An effective data destruction policy ought to have timelines for data destruction. These timelines must take into account the requirements set out under various laws to ensure an organisation’s compliance with the Laws of Kenya.
For instance, under Section 23 of the Tax Procedures Act, it is required to keep tax records for five years from the end of the reporting period to which it relates or such a shorter period as may be specified in a tax law.
- Exceptions – data retention/archiving;
The policy must state whether part of the data will be retained due to circumstances such as the high cost of destruction, the criteria to be used when retaining certain data, the persons responsible for storing said data, and whether authorisation is required when retaining said data.
- Nature of consent to destroy the data;
It is important for every organisation to ensure that written consent is obtained before destroying data, such as client files. This ensures that data is not destroyed in an unauthorised manner.
The policy can be brought to the attention of clients, and consent obtained before undertaking the destruction process. An organisation can also consider having a “Return or destruction of Information Clause” in its contracts with third parties.
- Certificate of “no copies retained” / Data Destruction custody report;
In any data destruction process, whether carried out on-site or by an external data destruction company, a certificate of “no copies retained” is important to enabling an organisation to cover its tracks should legal action be taken against it. A data destruction custody report that shows the chain of custody during the process is also key in protecting your organisation’s interests.
- Environmental sustainability;
This ensures that the organisation complies with the applicable environmental laws, policies, and procedures and that the destruction process is environmentally sustainable to guarantee minimal environmental damage.
In conclusion, ensuring data destruction is carried out securely and promptly is essential for every organisation. Having a data destruction policy is key in ensuring a proper chain of custody is maintained, that the process is not compromised and that professionals with the necessary expertise do the destruction.
Implementing a data destruction policy is a must for all organisations. The policy should be tailored to suit the business’s specific needs and must consider technological evolution. The policy should be reviewed and updated regularly and should be communicated to all employees
How can we help?
Have you had success implementing a data destruction policy in your organisation? At Riskhouse International, we have a policy review and development program led by a team of seasoned lawyers with vast experience in policy review and development. We are also available to help review the processes and operations within your organisation, develop a tailor-made data destruction policy that fits your needs, and offer continuous period reviews on the policy.
To learn more about our policy review and development program and to catch up on our other news and alerts you can visit our blog on our website at https://riskhouse.co.ke/blog/.