Secure Data Deletion and Disposal of Redundant ICT Assets


31 July 2014

 

Following a rigorous procurement process, NHS Commercial Solutions has awarded a framework agreement for the provision of services for the secure deletion of data from, and subsequent disposal of, redundant ICT assets.

Unauthorised disclosure of information is a major risk to organisations working with sensitive data, mainly due to the increasing dependence on electronic storage systems and the use of disposable media. NHS and third party systems may contain sensitive, patient-identifying or business critical data. To prevent unauthorised disclosure it is essential that assured data destruction take place.

The framework agreement provides services to

  • securely and irreversibly erase data from a range of media prior to removal of that media from customer premises; and
  • securely and legally dispose of redundant information and communications technology equipment and media

The disposal of media that holds data is considered to be ‘data processing’ under the Data Protection Act. A number of provisions are included in the Act that apply in such circumstances, i.e.,

  • you must choose a data processor who provides sufficient guarantees about its security measures to protect the data it is processing;
  • you must take reasonable steps to ensure those measures are in place; and
  • there must be a written contract setting out what the data processor is allowed to do with the data.

The suppliers appointed to the framework have all demonstrated their ability to meet the above requirements and have agreed to the terms of both the framework and the call-off contracts under the agreement.

The framework was procured in two lots:

Lot 1 provides for the on-site destruction of data and the removal of the remaining hardware for recycling and disposal in accordance with statutory regulations and the Statement of Requirements. Under this lot, equipment will be dismantled and all components recycled to prescribed environmental standards.

Lot 2 provides for the on-site erasure of data and the removal of the remaining hardware for refurbishment and resale in accordance with statutory regulations and the Statement of Requirements. Under this lot the data is securely erased from the hard drive, all client-specific markings removed, and the equipment tested and prepared for resale. The participating authority will receive a percentage of the resale value from the supplier.

The specifications, developed by a group that represented interested parties in a wide range of trusts and taking input from the Environment Agency and the Information Commissioner’s Office, cover;

  • performance of the works at customer premises;
  • identification of assets and reconciliation with the asset register;
  • hardware configuration testing;
  • data erasure/destruction;
  • transportation of hardware to the contractor’s premises;
  • contractor’s personnel;
  • disposal and recycling;
  • remarketing of cleansed equipment; and
  • disposal of non data-bearing equipment.

The agreement is available to all public sector bodies and registered charities.

For further information please contact;

Derek Howe

NHS Commercial Solutions

T: 01306 646810

E: derek.howe@nhs.net


Laptop 2

Link to Google